Password Reuse — Don’t Do It!
March 20, 2019 Fred SmithLike it or not, people reuse passwords, sometimes using the same one or three across all of their accounts, and hackers know this.
During the past few years, criminals have stolen more than a billion usernames and passwords from many sites across the internet, including LinkedIn, Adobe, and Tumblr. Criminals use these stolen usernames and passwords to log in to other sites including Exchange, Google, TeamViewer, GoToMyPC, and other popular sites. Many of these log-ins succeed because people reuse their passwords.
You can check to see if your password was stolen in one of the larger breaches at https://haveibeenpwned.com. You do not need to supply your password to check. This database does not include all breaches, so even if your password is not listed as stolen, you may still be at risk.
There's a huge amount of hacked data floating around the web, every week you hear of another site getting hacked, and all of those credentials are being advertised around the internet, but then what? What do hackers and others with bad intentions do with all of those email addresses and passwords? Among other things, they attempt to break in to accounts on totally unrelated websites. And this is where the real problems begin.
Like it or not, people reuse passwords. Most people are just out there with the same password or three across all of their accounts. The hackers know this, so they are going to try and break into as many other accounts as they can using the credentials collected from a data breach. One way this is accomplished is through credential stuffing.
Credential stuffing is the automated injection of breached username/password pairs to fraudulently gain access to user accounts. This is a subset of the brute force attack category, where large numbers of compromised credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.
This is a serious threat for a number of reasons:
- It's enormously effective due to the password reuse problem.
- It's hard for organizations to defend against because a successful “attack” is someone logging on with legitimate credentials.
- It's easily automatable — you simply need software that will reproduce the log-on process against a target website.
- There are readily available tools and credential lists that enable anyone to try their hand at credential stuffing.
We've all done it at one time or another, but please remember to use separate passwords for each of your accounts. If you reuse any of your passwords, please change them immediately. Consider using a password manager to allow you to have separate, strong passwords created automatically for all of your accounts.
Never use your UMID password for any other site, including other UMB sites.