User names and passwords are an essential part of security. A new survey, though, shows people, including employees, tend to reuse the same passwords across multiple online services, leaving both personal and work accounts vulnerable.
The blurring of the boundary between work and personal life may have negative consequences for both people and the organizations they work for. Reusing credentials is a much bigger problem than people realize, the security of companies can be circumvented by attackers using real user names and passwords, making their intrusions much more difficult to spot.
The reuse of credentials is closely related to another issue, that of using easy to guess passwords or phrases. Bad actors might use a dictionary attack, entering commonly used credentials, or a credential stuffing attack, where leaked credentials are tried until something works.
A user could use the same password for a video streaming service at home and a Microsoft Office 365 account at work. If the video streaming service’s security is compromised and credentials are stolen, the work account is now compromised as well, even if the employee doesn’t know it.
A recent FICO (Fair Isaac Corporation) survey in the United States shows that, on average, only 41% of users are happy to use usernames and passwords in security. Moreover, 21% of all people surveyed say they reuse five or fewer passwords across all of their accounts.
The survey also unveiled some interesting statistics regarding the alternatives, especially in the banking and financial sector. For example, 65% of the people would be happy to provide their biometric identification, such as fingerprints, to the bank, although that percentage drops to 29% for eye scans and 37% for facial scans.
Using the same credentials on multiple systems is just one reason companies are looking at other ways to log in to their services, such as passwordless logins, biometrics, and more.
Until that future arrives, uses should always consider using complex and unique passwords, and never reuse the same password twice.