InfoSec: Avoid using the same password for multiple websites

Abstract: a lot of people use the same password, or a variation of it, for logging into different websites or servers, to avoid having to remember multiple sets of credentials. Unfortunately, this backfires when one of the websites gets hacked and the password data becomes public. This leads to attackers using that same password to gain unauthorized access to every single account the person owns, turning a potentially limited breach into a widespread one.

Additional considerations: many people will designate a reusable password for use with "low risk" sites, sites that require compulsory registration to post a comment, sites that store no sensitive data or sites that they don't particularly care about. While this is a good risk reduction tactic, it might still result in negative consequences if the details from multiple "low risk" sites can be combined and used in social engineering attacks (ie. state of residence from one site, DOB from another, full name from third, phone number from fourth and so on until there is enough data to open a credit card in your name). Another likely risk comes from gradual increase in site's importance to the user over time (ie. original "low risk" registration done to get a free trial version of the product, but then credit card details are added at a later date, with the purchase of the full version of the product). Alternatively, while no sensitive data may be stolen from you, the attacker might use the compromised accounts to impersonate you, to either damage your reputation or attempt to social engineer your friends and relatives into sending them money.

Alternatives: there are many alternatives available for storing and accessing passwords for various websites and services from all of your devices, which would eliminate the need for remembering multiple passwords, while helping you avoid reusing the same one on multiple websites. Apps like 1Password and LastPass let you maintain and access an online repository of all of your credentials, protected by one master password. If you are uncomfortable with storing your credentials online, there are multiple offline options available, such as PasswordSafe for PC, which stores all your credentials in a local, or network shared, encrypted container and offers convenient browser integration features. Various mobile devices will typically have native password management applications for local password management as well. Of course, with offline solutions, there is the drawback of having to sync your passwords manually. Another alternative, which is my personal favorite, is PwdHash - it can run as a Firefox or Chrome plugin and let you enter the same password when logging in to all websites, but actually replacing it with a one-way hash of your password and domain name combination. As a result, what is stored as a password on the website is different for every site and cannot be reverted back to your master password even if the "plain text" password is stolen in a cyber-attack. There are also client applications for PwdHash password generation available on all major mobile platforms, and if all else fails - you can always just do it through their website and copy-paste it to login.

Conclusion: reusing the same password for multiple accounts is a very appealing and convenient option, especially for accounts perceived as low risk. However, many risks of data theft, identity theft and reputation loss through impersonation make this an unsafe practice in this day and age of nearly daily website and service compromises. With many secure alternatives such as PwdHash, PasswordSafe, LastPass and 1Password, moving away from reusing passwords is easy and (mostly) free and might save you and your employer a lot of time and hardship in a next multi-million account service cyber-attack.

No comments: