Latest credential-stuffing attacks confirm we’re still reusing too many passwords

With employees reusing an average of 5 passwords each, Dailymotion, Reddit attacks leave businesses exposed

Credit: ID 79076511 © Weerapat Kiatdumrong |

This month’s successful credential-stuffing attacks against Reddit and DailyMotion may be clear reminders about the growing risk of password reuse, but yet another survey of password habits suggests that we still aren’t getting any better at protecting ourselves.

Just two-thirds of 1761 IT and IT-security practitioners polled by the Ponemon Institute agree that it is very important to protect passwords, according to the Yubico-sponsored 2019 State of Password and Authentication Security Behaviors Report.

Fully 51 percent of respondents said it is too difficult to manage passwords, even though 69 percent admit to own-goals such as sharing passwords with colleagues and 51 percent say they reuse an average of five passwords across business and personal accounts.

That widespread practice makes them sitting ducks for credential-stuffing attacks, in which long lists of pilfered username-and-password combinations are fed into various online services in an attempt to gain unauthorised access to a victim’s account.

This month’s high-profile ‘Collection #1’ breach put 773 million email address and password combinations into the public domain, adding to the billions of credentials already available online and leaving little question about how attackers were able to launch an ongoing credential-stuffing attack against Paris-based video site Dailymotion.

The “large-scale computer attack” was ongoing for some time and, the firm said in a statement, “was successfully contained following the implementation of measures to limit its scope”.

This attack came on the heels of a major credential-stuffing attack directed at discussion site Reddit, which locked out a large number of users earlier this month after the attack was detected.

A recent Akamai analysis found that the average business is being hit with 12 credential-stuffing attacks every month, while 86 percent of Australian companies said they found it difficult to tell real employees from imposters using their credentials.

The practice was costing Asia-Pacific organisations up to $28.5m annually, that report concluded – but the potential for massive compromise drives a risk profile that extends far beyond financial losses.

The Dailymotion hack “is another example of why consumers should be extra diligent when it comes to password management,” SailPoint CEO and co-founder Mark McClain said in a statement, “and how these types of breaches can potentially affect more mission critical business information.”

SailPoint’s recent 2018 Market Pulse Survey found that 80 percent of Australian respondents admitted reusing passwords across different accounts – higher than the global average of 75 percent – and 48 percent of Australian respondents used the same passwords for work and personal accounts.

“If customers used the same Dailymotion password for their other accounts,” McClain said, “it is likely the hackers may have succeeded in logging into those other accounts, including any related to their business and work activity. Not only does this put the consumer at risk, but the organisations they work for could potentially also have their sensitive information compromised.”

Just 47 percent of respondents to the Ponemon-Yubico survey said their companies are most concerned about protecting customer information, while 45 percent say they are most concerned about protecting employee information. (The ideal environment, of course, protects both with equal vigour).

Fully 63 percent of respondents said they were more concerned about the privacy and security of their personal data over the past two years, with government surveillance – named by 59 percent – the top reason why. Increased use of mobile devices (51 percent) and connected devices (40 percent) were also common reasons for becoming more concerned.

Personal experience was a common motivator to change behaviour, with 51 percent saying they had experienced a phishing attack in the past and 8 percent reporting past credential theft.

Despite their concerns, however, just 43 percent of respondents said they had changed how they manage passwords – with 47 percent using stronger passwords, 43 percent changing passwords more frequently, 41 percent adding multi-factor authentication, and 17 percent using a different and unique password for every account.

Tags password securityredditPonemon InstituteDailymotion

Show Comments