Editor’s Note: Mike Chapple is associate teaching professor of information technology, analytics and operations at the University of Notre Dame’s Mendoza College of Business. The opinions expressed in this commentary are his own.
Earlier this week, Disney+ customers complained that their account information had been stolen, and reports found that thousands of accounts had indeed been compromised. Disney, meanwhile, said it found no signs of a security breach. If these thousands of valid passwords weren’t stolen from Disney servers, how did they make their way onto the dark web so quickly? Most likely, these accounts belonged to individuals who make a habit of reusing the same password across many different websites.
We all know how hard it is to remember many different passwords and, even though 91% of us know that we shouldn’t reuse passwords, 59% of us ignore expert advice and reuse the same password across multiple websites anyway, according to a 2018 survey by cybersecurity firm LastPass.
This behavior is incredibly risky because hackers know that we are creatures of habit. Once I’ve discovered that “Chapple4ever!” meets the requirements of most websites and is easy for me to remember, I’m inclined to use it on every new site that I visit. The problem is that hackers can take advantage of this knowledge and reuse stolen password files from weakly secured sites to attempt logins on more sensitive sites.
More Tech & Innovation Perspectives
Securing your own accounts
The most likely scenario in the case of Disney+ is that hackers were waiting for the service to launch, knowing that accounts would be a hot commodity. They likely prepared themselves by compiling lists of previously compromised usernames and passwords. As soon as Disney+ launched, it’s possible they ran automated programs that tested each of those accounts on the site and discovered that thousands of people who registered on the first day reused their comfortable (but compromised!) passwords.
While most security breaches require cybersecurity investments by the company targeted in the breach, responsibility in this case rests primarily on the shoulders of Disney+ customers. The days of safely reusing passwords on multiple sites are over. We must assume that any password we use online will be compromised and avoid using it anywhere else. We should employ long, complex and unique passwords on every website that we visit.
Fortunately, this isn’t as difficult as it might sound. You don’t need to memorize 20-character passwords or keep a little black book. Modern password managers, such as LastPass, Dashlane and 1Password simplify password security by automatically generating unique passwords for every site that you visit and then plugging those passwords into websites for you. All you need to do is remember the master password to your password vault. Each of these services is securely designed to encrypt your website passwords using your master password. The service doesn’t store your master password, reducing the risk of a compromise.
Once you’ve set up a password manager, take things a step further and enable two-factor authentication to further improve the security of your accounts. Requiring the acknowledgement of logins on your smartphone prevents someone who stole your password from using it to access your accounts. It’s a good idea to set this up for other sensitive accounts, such as those that store your financial and health records, as well.
Businesses aren’t completely off the hook
While individuals bear the most responsibility for fixing the problem of password reuse, businesses can also take steps to enhance password security. This begins at the time that a user creates a new account. The same password lists used by attackers are also available to cybersecurity teams. If a user attempts to create an account using a password that was already compromised on another site, businesses should not only require a different password, but also notify the user that their account was compromised elsewhere.
In addition, website owners should watch for signs of malicious activity and automatically block suspicious login attempts. It’s normal for someone to mistype their email address or password and attempt to log into a service incorrectly a couple of times. It’s not normal for someone to attempt to log in with hundreds of different accounts. Modern intrusion prevention technology is more than capable of frustrating these brute force attacks and at least slowing attackers down.
Password reuse is a pervasive problem that threatens to undermine the security of both individuals and websites. It’s also a personal problem and depends upon each one of us to practice good password hygiene.