Re-using Passwords Compromises Users’ Online Identity
Login data found on lists of leaked credentials after hack attacks against service providers proved users continue to use the same id and password for more than one online account.
By choosing to reuse passwords for more than one account, people end up leaving all those accounts vulnerable to hacking. In case of a data leak, where logins get into the wrong hands, all other accounts with the same password can be compromised.
“This highlights the longstanding security advice to use unique passwords, as criminals have become increasingly sophisticated about taking a list of usernames and passwords from one service and then `replaying‘ that list against other major account systems,” Microsoft Account Group Program Manager Eric Doerr stressed in a blog post on July, 15. “When they find matching passwords they are able to spread their abuse beyond the original account system they attacked.”
In light of recent data leaks that hit LinkedIn, Last.fm and, more recently, Skype and Yahoo, people need to know the implications of using the same password for more than one account. The moment lists with credentials are made public, Microsoft is notified to protect customers with the same login data for their Microsoft accounts.
Some of these lists are incomplete and pose no immediate threat to users, but some are complete or contain data that can help wrong-doers put together comprehensive lists that match usernames to their passwords. From that point, people’s identity is at stake.
Microsoft automatically scans these lists to see which customers may have compromised accounts to be able to notify them. “You’d be surprised how often the lists – especially the publicly posted ones – are complete garbage with zero matches. But sometimes there are hits – on average, we see successful password matches of around 20% of matching usernames.” Eric Doerr adds.
To stay protected, users need to know that a company, a bank, a service provider of any kind would never send customers an e-mail asking for passwords, usernames, account information or telephone number. As tedious as it may seem, users need strong unique passwords for every account online. They then need to be very attentive with the data they publicly share. And of course, people ought to use at all times a security suite to take care of the aspects they can’t handle personally.