Your Employees Are Reusing Passwords – Find Out How Many

Written by

The weakest point in your corporate password security approach might just be the number of personal websites your employees use. Why? The greater the number of passwords a human has to use, the greater likelihood that they stop creating new ones and start reusing old ones.

With all of the password strength requirements on various sites, what better password to reuse than that really strong one a user made for work? “Not my employees,” you might be thinking, but the stats show otherwise.

As many as 65% of people reuse the same password for multiple or all accounts, according to a 2019 security survey conducted by Google – and it’s understandable. The average number of passwords one person has to remember is over 90, according to a 2015 study by Dashlane.

Our team’s research into user behavior supports these findings. In our survey from April 2020, we discovered that, out of 1353 respondents:

  • 45% did not consider password reuse to be serious
  • 52% share their streaming site passwords
  • 31% use the same password for streaming sites as they do for other ‘more sensitive’ accounts, such as online banking
  • 21% don’t know whether those who they share their passwords with also share with other people

Time and time again, we see the danger of password reuse when personal-use websites show up in data breaches, as it’s likely your own corporate network has users reusing these breached passwords from personal-use sites.

The 2012 Dropbox breach was the result of password reuse – a Dropbox employee’s corporate account was reused on LinkedIn (which was obtained via another breach).

Some of the top personal-use websites found in leaked databases include:

  • MySpace (359 million): In 2016, hackers gained access to usernames, passwords and email addresses from the social media platform prior to June 11 2013, when better security protocols had been implemented. This might not sound relevant until you consider how many employees may still be using a tried and trusted old password
  • LinkedIn (164 million): In May 2016, email addresses and unsalted hashes from this social media site were exposed from a 2012 attack. A hacker used credentials obtained from this attack to breach Dropbox in 2012 thanks to password reuse
  • Dubsmash (162 million): In December 2018, this video messaging app was breached. Hackers got away with lots of personal information like the location of users, usernames, passwords, phone numbers, names and more
  • Dropbox (68 million): In 2012, hackers reused a password from the LinkedIn breach to access user information including email addresses and salted hashes from this cloud file storage service
  • Adult Friend Finder (3.8 million): In May 2018, this adult dating site had both active and deleted account email addresses and password hashes exposed

So what’s an IT administrator to do?

Since you can’t (nor should you) peer over your employees’ shoulders when they create passwords for personal use websites, the next best thing is to prevent the use of breached ones on your own network.

Implement a password filter on your Active Directory that checks your employees’ passwords against a list of known breached passwords, the likes of which are recommended by groups like the National Cyber Security Center (NCSC) and the National Institute of Standards and Technology (NIST).

You could do this yourself with a DIY method like this one, or you could use a tool like Specops Password Policy to block over two billion known breached passwords.

Find out how many of your users are using known breached passwords with our free Password Auditor tool – available here.

What’s hot on Infosecurity Magazine?