Most Internet users these days still haven’t fully understood the importance of establishing effective mechanisms to create secure passwords. In order to understand how complex the risk is, researchers at Virginia Tech University and Dashlane analysts have carried out one of the largest empirical studies on password reuse and modification patterns.

After examining a database of over 28 million users and their 61 million passwords, they have uncovered an alarming figure: 52% of the users studied have the same passwords (or very similar and easily hackable ones) for different services. The harm that this bad habit can cause in a business environment are quite clear, especially if there is a security breach in the company that reveals a password that is already in use, or has been slightly modified, and is then used again on other websites or business tools. With this information, the attackers could endanger the security of numerous services in the workplace.

Modifying and reusing passwords: a dangerous practice

The study The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services observes that reuse and modification are still relatively common strategies, despite continual warnings from the IT community.  Of the 28.8 million users studied, 38% reused the same password for two different online services, and 21% of them slightly modified an old one to sign up for a new service. The study also shows that users with more passwords are more likely to reuse them, or use variations.

The research shows that it is online shopping services and email accounts – both considered to be services that deal with sensitive information – where users most tend to reuse or modify their passwords. With 85% of passwords reused or slightly changed in the case of online shopping, and 62% for email, this practice is particularly worrying, since shopping services usually store credit card details and people’s home addresses. In the case of emails, it’s even more dangerous; attackers could use company email addresses to reset login details for other personal accounts (such as online banking applications).

The problem gets even worse when we take into account the risk related to reusing passwords for professional services, which also include sensitive information belonging to both the user and the company. IT professionals must be sure that password hygiene is maintained in the workplace, reducing the burden on the employees and clearly explaining the danger and costs related to bad practices or laziness. Choosing weak or recycled passwords is a danger in itself, but it could potentially be worse if employees, for lack of a better options, resort to writing them on notepads or Post-Its on their desk.

The study has also shown that users reuse passwords that have been leaked in data breaches, even years after the initial leak.  This means that users delay changing their passwords – the same ones that have already been used and leaked – for other services and applications, putting all their personal information at risk.  Over 70% of users employed a compromised password for other services up to a year after the leak.   Worse still, 40% of users reuse passwords which were leaked over 3 years previously. This indicates that leaked data poses a serious risk, and any delay in reacting to leaks or in protecting the user can be an incentive for the attacker.

Tips on keeping up company password security

At Panda Security, we care about the privacy of your data, both at home and at work. That’s why, to cope with the difficulty of memorizing endless login details, we’ve compiled a list of tips to keep you safe:

  1. There is an ever present need to educate employees about password policies. By making staff more aware, we can ensure that:
    1. Predictable character combinations (like 012345 or qwerty) aren’t employed to modify an existing password.
    2. Passwords for different professional services are always different, not doubled up.
    3. Personal passwords aren’t used for work services, and vice versa.
  1. Websites such as Have I been Pwned allow users to keep an eye on their email and password security, and can act as an additional step in security protocols. When a user or company is involved in a breach, it’s a very good idea to reset all passwords ASAP, and to make sure that old passwords aren’t reused for any other services.
  2. Password managers like LastPass or DashLane can be a good way to stay on top of this tricky task, and also allow the IT team to take back control of security policies. Not only do these tools take care of remembering passwords, but they also store them, keep them safe, and tell you how strong they are.
  3. Advanced cybersecurity solutions like Panda Adaptive Defense allow you to analyze your systems continuously and completely to detect keyloggers and other types of malware, averting any attempt to steal any login details.