×
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Why CIS

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world



About Us Leadership Principles Testimonials

Solutions

secure your organization
Secure Your Organization


secure specific platforms
Secure Specific Platforms


cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments


View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities



CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers

Resources

resources
Resources


learn
Learn


filter by topic
Filter by Topic


View All Resources  
CIS Logo Show Search Expand Menu

Reusing Passwords on Multiple Sites

Two high-profile breaches have resurfaced in the media again along with a newly announced breach. LinkedIn was breached in 2012, Tumblr in 2013 and most recently MySpace in June 2016. If you had accounts at any of these sites, you may have been advised to change your password, and as a good cyber citizen, you probably logged on and made the obligatory password change. But did you think through the consequences?

The malevolent person or group behind the breach(es) has your username, possibly email address and password and probably additional personal information. Banking on the fact that between 31%1 and 55%2 of the people use the same password at multiple sites, cyber criminals can use this information to login with the same credentials at other popular sites. Additionally, someone is actively selling this information on the “dark web” for between $2,200 (5 bit coins)3 & $2,800 (6 bit coins)4 .

What Should You Do To Manage Your Accounts?

If the site has enhanced security, enable it. Have them send you alerts or prompt for additional information if you log into a site from a new computer or location. This is particularly important for high-value accounts such as banking or financial accounts and email to name a few.

If available, enable two-factor authentication. Many social media accounts have begun to provide this feature. If it’s available, use it to protect yourself, family and friends.

Identify where else you may have used this password and change the password at all the other sites. This may be a painful and tedious process but think of the ramifications and impact if someone else can logon to or take ownership of these accounts.

Not all accounts require new passwords. There are some accounts that are required only for benefit of the website owner, for instance, to download a whitepaper you are required to set up an account. In this instance, you probably don’t need to change the password but make sure you didn’t provide other information worth protecting before making that final decision.

Finally, if you no longer require the account, and the option is available, delete the account. It’s one less account to support and maintain.

[1] http://www.infoworld.com/article/2623504/data-security/study-finds-high-rate-of-password-reuse-among-users.html

[2] https://nakedsecurity.sophos.com/2013/04/23/users-same-password-most-websites/

[3] https://motherboard.vice.com/read/another-day-another-hack-117-million-linkedin-emails-and-password

[4] http://motherboard.vice.com/read/427-million-myspace-passwords-emails-data-breach