Password re-use is a growing threat to security

Password re-use is a growing threat to security

CultureAI recently conducted in-depth analysis, revealing 38% of employees are logging into web applications they’ve already used elsewhere.

The examination of millions of logins uncovered this alarming trend, particularly affecting prominent platforms like Amazon, Google, and Microsoft, all of which store highly sensitive data.

CultureAI urged organisations to elevate security standards – by embracing protective measures and leveraging cutting-edge insights, sensitive data is safeguarded, and evolving threats can be mitigated. John Scott, Lead Security Researcher at CultureAI, shares his insight.

As companies use more tools and features, employee security risks grow too. Most organisations now recognise how risky email can be, but it’s not the only risk that we face when trying to protect sensitive data.

“Among the millions of logins for web applications analysed by the CultureAI platform earlier this year, we found that 38% of employees were logging in using a password they already use on other apps. Amazon, Google and Microsoft were among the most impacted apps, all of which store highly sensitive data. 

“When someone uses the same password across multiple places, it means that if one of those sites experiences a security breach, there is a significant risk of unauthorised access to other applications – an attack known as ‘credential stuffing.’ The more the password is re-used, the more opportunities there are for that password to be compromised or stolen. And once that password is known, it’s traded, sold and tried on multiple applications to see if it works elsewhere.

“So, how can we address the risk of password reuse? People are human, we will all make mistakes or sometimes take shortcuts, even though almost everyone knows they should be using strong and unique passwords. When it comes down to it, we may still choose to go with what is easy-to-remember rather than what is secure.

“MFAis another essential layer of security that’s commonplace in enterprise deployments. Even if someone’s password is compromised, the extra authentication makes it much harder for unauthorised individuals to gain access. While it’s not a silver bullet, it often acts as the final defence in many cases, so its significance should not be underestimated. 

“By utilising real-time data from browser extensions, you can get visibility into the SaaS platforms used by your workforce. This enables you to identify risky behaviours in real time, such as using weak or reused passwords, or not using Multi-Factor Authentication (MFA) or Single Sign-On (SSO).

“An effective human risk management (HRM) platform will not only pinpoint risky employee behaviours in real time but can also provide just-in-time education at the point of risk. This proactive approach empowers employees to make better security decisions when it matters most.”

Browse our latest issue

Intelligent CISO

View Magazine Archive