CIS Logo
tagline: Confidence in the Connected World
HomeResourcesBlog post • Reusing Passwords on Multiple Sites

Reusing Passwords on Multiple Sites

Two high-profile breaches have resurfaced in the media again along with a newly announced breach. LinkedIn was breached in 2012, Tumblr in 2013 and most recently MySpace in June 2016. If you had accounts at any of these sites, you may have been advised to change your password, and as a good cyber citizen, you probably logged on and made the obligatory password change. But did you think through the consequences?

The malevolent person or group behind the breach(es) has your username, possibly email address and password and probably additional personal information. Banking on the fact that between 31%1 and 55%2 of the people use the same password at multiple sites, cyber criminals can use this information to login with the same credentials at other popular sites. Additionally, someone is actively selling this information on the “dark web” for between $2,200 (5 bit coins)3 & $2,800 (6 bit coins)4 .

What Should You Do To Manage Your Accounts?

If the site has enhanced security, enable it. Have them send you alerts or prompt for additional information if you log into a site from a new computer or location. This is particularly important for high-value accounts such as banking or financial accounts and email to name a few.

If available, enable two-factor authentication. Many social media accounts have begun to provide this feature. If it’s available, use it to protect yourself, family and friends.

Identify where else you may have used this password and change the password at all the other sites. This may be a painful and tedious process but think of the ramifications and impact if someone else can logon to or take ownership of these accounts.

Not all accounts require new passwords. There are some accounts that are required only for benefit of the website owner, for instance, to download a whitepaper you are required to set up an account. In this instance, you probably don’t need to change the password but make sure you didn’t provide other information worth protecting before making that final decision.

Finally, if you no longer require the account, and the option is available, delete the account. It’s one less account to support and maintain.

[1] http://www.infoworld.com/article/2623504/data-security/study-finds-high-rate-of-password-reuse-among-users.html

[2] https://nakedsecurity.sophos.com/2013/04/23/users-same-password-most-websites/

[3] https://motherboard.vice.com/read/another-day-another-hack-117-million-linkedin-emails-and-password

[4] http://motherboard.vice.com/read/427-million-myspace-passwords-emails-data-breach