World Password Day was celebrated on May 3, and it’s a great excuse to recognize and break the habit of reusing passwords. It is estimated that at least 59 percent of all people reuse the same password for all of their accounts, from social networking sites to their most sensitive financial systems.
Security and Compliance at UMB gets reports almost weekly for credentials posted publicly that contain umaryland-related usernames and the passwords associated with those accounts on sites that have no relation to the University. If you are using the same password on your University account and those sites, you are putting University data at risk.
We are in the process of implementing multi-factor authentication using DUO, which will help prevent University credentials from being used without being able to authenticate using a second factor such as your cellphone. Most popular internet sites also offer multi-factor authentication, but some people think it is too cumbersome to use. I certainly advocate that you should use multi-factor authentication wherever possible, from Facebook and Twitter to your personal banking accounts.
If you choose not to protect your personal sites with multi-factor authentication, you must make sure that you are not reusing passwords between accounts. This is one of the main reasons that hackers are successful in breaking into unrelated accounts; credentials posted on the internet after data breaches occurred at some of the internet’s most popular sites — Yahoo, Equifax, MyFitnessPal and Dropbox, just to name a few — were used to gain access to unrelated accounts.
There have been many reports that show why hackers are so successful in gaining access to your accounts:
- We keep using the same passwords again and again.
- Most people have 99 things to worry about every day, and passwords are typically not one of them
- People treat work and personal accounts with the same indifference — 47 percent of users have the same password for their work and personal accounts.
- Breaches no longer faze us — 53 percent of people have not changed their password even after the announcement of a data breach at a popular site.
- My account was in that breach? Still not fazed — only 55 percent of people will change their password after finding out that their credentials were part of a data breach.
- We think our Instagram and Facebook posts are for our friends only — 51 percent of people refuse to believe that their credentials could be compromised by information shared on social media.
- We love a good, old-fashioned spreadsheet — 42 percent keep passwords in a file on a mobile device in Excel or Word.
- Most people don’t feel that they are worth a hacker’s time — 38 percent think their accounts are valuable enough to a hacker.
- We’re all a little lazy. Unless IT requires us to change our password, most people are happy to continue with the same password — 39 percent say if it’s not required, they won’t do it.
Maintaining unique and strong passwords for every account is a difficult task. However, for a small fee and in some cases for free, there are password managers available that will generate strong passwords for every account you have. Most also have the capability to store personal details for those accounts and will auto populate your username and password into websites for you. It takes the guesswork out of creating unique passwords and provides a roadblock to a hacker if your credentials are stolen at one site to keep them from trying those same credentials anywhere else. It also makes it easy to change passwords in the event that one of your accounts ends up in a data breach.
In addition to using multi-factor authentication wherever possible, I strongly recommend that you investigate a password management program to manage all of your account information.