Yes, your users are reusing their passwords and user IDs. What can you do to protect your organization?

Back to Blog
July 31, 2017
Jeff Hickman

 

If you’re an IT pro, you’re likely aware of the very real damage that can result from even one user’s credentials being compromised. Once attackers have a foothold in your systems, they can linger for months, steadily increasing their permissions until they find and steal your most valuable data. Many organizations are already working to strengthen their security posture for preventing the misuse of stolen credentials. But one very real risk is typically overlooked:  the social and personal credentials of our end users.

Why is this a risk? I’m sure you know first-hand about password fatigue — everyone these days is overwhelmed with the task of remembering and managing passwords. To make things easier, we take shortcuts: we choose weak or easy-to-remember (and therefore easy-to-guess!) passwords, and we also reuse credentials across sites. You can bet that at least some of your users are signing up for personal sites using their work credentials or user IDs. And the reverse is even more common — some users are almost certainly using the same passwords they use for their personal sites to access corporate resources.

Who would do this? More people than you might think. Remember the Ashley Madison hack back in August of 2015? As time.com reported, many people used their .gov and .mil email addresses to sign up for this rather salacious website. Password reuse is likely even more common; check out the study on Consumer Password Habits, the Consumer Account Security Report, and this article on Mashable on password reuse.

In short, it’s very likely that some of your users are using their work email or username to sign up for non-work services, and some are using the same passwords at work as they use their personal websites.  And those actions put your corporate resources at risk.

With the number of data breaches increasing year over year (see the Verizon 2017 Data Breach Investigation Report) what can you do to help reduce the risk presented by password and user ID reuse? Here are several best practices that really help.

Invest in adaptive authentication

While we know that two-factor authentication helps mitigate credential theft and raise the security level of authentication, we also know that it is no longer enough alone for truly secure authentication. SecureAuth, an industry leader in adaptive authentication, offers a multi-layered approach to pre-authentication risk analysis. Like layers of a bulletproof vest, our adaptive authentication looks at multiple factors, from device recognition to SecureAuth Threat Services, to determine the legitimacy of every login attempt — even when the user has the correct credentials. This “defense in depth” approach helps thwart attacks and prevent breaches. And SecureAuth mitigates the risk of misuse of compromised credentials without impacting usability because we require multi-factor authentication only when risk is high.

Read more on SecureAuth’s adaptive authentication.

Hold regular user training & education sessions

It may seem a bit cliché, but I can’t overstate the value of being in front of your end users on a regular basis and reminding them about best practices around passwords and access. While ignorance on the part of the end user is not an excuse for a data breach, we, as security professionals, should do everything in our power to educate our end users about the impact their decisions about how they use their credentials can have on the business.

There are a number of training tool kits and companies that offer training services. But even common-sense training from a security professional does wonders to keep best practices concerning credentials in the front of everyone’s minds.

If you have external consumers or customers who log on, it’s also useful to educate them. Being verbose in your login prompts may not be a bad thing! While you don’t want to give bad actors too much information about your login security, you do want to educate your consumers about what’s going on as they authenticate. Doing so can not only reduce your support burden but also boost your brand for being so security minded.

Be informed

Unfortunately, we tend to find out about data breaches well after they happen. While many companies would prefer to keep these breaches quiet, IT security pros need to be informed about the latest breaches — not just the methods that were used and the impact to the affected company’s business, but the data that was leaked in the breach. So keep an eye out for what’s happening at other organizations and share when you can to help build a stronger and more effective IT security community.

SecureAuth helps prevent the misuse of stolen credentials. To learn more, contact us today!

Never Miss a Beat
Subscribe to Our Blog

SecureAuth Identity Platform Adaptative Authentication

Identity and Access Management

Empower your digital initiatives with secure access for everyone and everything connecting to your business

Product Features

Adaptive Authentication

Extend verification of a user identity with contextual risk checks

Multi-Factor Authentication

Leverage a broad portfolio of authentication factors for desktop and mobile

Intelligent Risk Engine

Protect your identities with advanced risk profiling analytics

Single Sign-On

Provide app discovery and one-click login through portal or desktop SSO

User Lifecycle Management

Enable admins with strong CRUD capabilities and users with self-service tools

Secure All Identities

CIAM

Customer Identities

Deliver a frictionless customer experience safeguarding user data and privacy

B2E

Workforce Identities

Govern and control access rights for employees, partners, and contractors

Moving Beyond Passwords

Learn how passwords alone no longer provide the appropriate level of protection, nor confidence, required to secure valuable resources

Initiatives

Passwordless Authentication

Reduce the risk of breaches by eliminating passwords

2FA is Not Enough

Block popular phishing and brute force attacks used by bad actors

Protecting Office 365

Extend adaptive authentication and flexible MFA to all apps including Office 365

Securing Portals and Web Apps

Balance strong security and an exceptional user experience

RSA Migration

Transition to a modern identity and access management solution

Industries

Healthcare

Financial Services

Retail

Energy and Utilities

Public Sector

Resources

White Papers

eBooks

Recorded Webinars

Analyst Reports

Innovation Labs

Documentation

Support Portal

Events & Webinars

Events

Webinars

Calculate Your Savings

Lower support costs by enabling your users the control to reset passwords, account unlocks, device enrollment and update profiles

Meet SecureAuth

About SecureAuth

Leadership

Newsroom

Careers

Contact