Do today’s organizations encourage their employees to use different passwords between work and personal accounts?
The answer is yes.
In fact, according to OneLogin’s recent survey of technology leaders, 89 percent said they encourage users to select different passwords for multiple accounts. This is very good news, especially since passwords continue to be the weakest link in cybersecurity.
The problem begins when individuals use the same password across multiple accounts, which happens quite often. Studies show that more than 75 percent of people admit to not remembering passwords, which leads to a large number reusing their passwords. While this practice may be convenient for users, cybercriminals can take the email address and password connected to one site and easily access information elsewhere.
A good example is the 2012 data breach at LinkedIn, where criminals stole more than 110 million login credentials from the professional networking site. In that incident, the account credentials of a Dropbox employee were stolen. And because that employee used the same password for both Dropbox and LinkedIn accounts, criminals were able to steal more than 68 million login credentials from Dropbox. This allowed criminals to expand from a personal data breach to an organizational attack because personal and business passwords were reused.
Password managers can help address this problem—and many organizations use this tool. However, passwords managers do not completely solve the security issue because passwords are still involved. And just like in the LinkedIn example above, passwords can be extremely dangerous when cyber criminals break into an organization’s system and steal user passwords.
The good news is that Multi-Factor Authentication (MFA)—which provides another layer of protection in the event that credentials are stolen—is growing in popularity, becoming a core component of a strong identity and access management policy.
MFA is an authentication method that requires the user to provide two or more verification factors to gain access to a resource, such as an application, online account, or a VPN. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyberattack.
The main benefit of MFA is that it enhances your organization’s security by requiring users to identify themselves with more than a username and password. While important, usernames and passwords are vulnerable to brute force attacks and can be stolen by third parties. Enforcing the use of an MFA factor, like a thumbprint or physical hardware key, means increased confidence that your organization will stay safe from cyber criminals.
The bottom line is that passwords continue to be the weakest link in cybersecurity, and reusing passwords makes attacks much easier for criminals. MFA, coupled with employee education, are vital tools that can be used to reduce the risk of a personal breach becoming a corporate security event. Stay tuned for the next blog in our World Password Day series.
Check out the next blog in our World Password Day Series!