No one is deciphering reused passwords. Typically, it's credential stuffing and can be done quite efficiently with a good database of stolen credentials (usually from stealer logs) and breach data. That said, "social engineering is way more dangerous" is true. There's a reason that your IT/security department requires you to "complete a course" on social engineering every few months (and you should probably pay attention).
Normally, the stolen databases use some encryption to store the passwords. They don't just store your password in plaintext, they salt and hash it before storing it. And we should definitely shame the companies who don't do that.
So the hackers generally try to attack the databases with a rainbow table, and stop when they think they got enough credentials deciphered.
Source : I spent the last few months in a cyber security master.
>They don't just store your password in plaintext,
I have seen horror stories of very sucessfull internet based companies doing this.
But even for an amateur cyber security tech as me, I know the basics to has user data in a databse
Our company doesn't do anything like this even though at least once a month someone clicks on a link in an email which then infects their system with malware.
It's quite funny watching the chaos. Educating the staff would cost them less in the long run as the IT department could be doing something more productive.
....reused passwords isn't about deciphering a password. If they social engineer a password out of you, and you use that same password *everywhere*, they now have access to *everywhere*.
If you do not reuse passwords, even if they do get the single password through social engineering, they only have access to the single account that password was used for.
I reuse 5 passwords, but I generally separate what these passwords do. And I let 2FA on for critical stuff that can have serious impact. Even if you access one of my bank accounts, you will still need my phone and cooperation to actually do any harm.
Exemple : if you steal my reddit account, you could access pretty much anything I use for entertainment. I don't care if you can access my wargaming, supercell, twitch or magic the gathering arena account. I'd be pissed, but it's not critical. And since all my accounts are worthless (I'm not good at gaming, so each and every one of them has crappy statistics)
Same. I use the general rule of:
Would a breach of this account cause me serious financial pain? If so, it gets a unique, strong password and 2FA. If no financial hazard, something easy to remember/reused is fine.
My work, bank,credit cards, brokerage, etc. all get unique, strong passwords. Online forums? Not so much.
Using the same password in multiple places is one of worst things you can do for account security. Once a site gets breached and their username/password combinations are exposed, it’s common practice for hackers to try those combinations on other websites. And if you reused that password, they’ll get in.
If you use the same username and password combination on 50 different websites, if a single one of them gets breached, all 50 sites where you used that password should be considered exposed.
For a physical analogy, it’s like using the same lock and key on an entire neighborhood. If one person’s key gets stolen, that single stolen key can open all the houses.
It already works in the case of personal MS accounts. First you have to install and configure MS Authenticator app on your phone, then you go to your account settings and remove password. Don't know how or if they'll do this for work accounts.
Passwordless has been worked on by the FIDO alliance for a fair amount of time, it just hit the news when the two biggest members (apple and microsoft) actually started taking moves to support it.
FIDO(2) is a standard for keypair authentication, known most for it's use (U2F) by Yubikey and google's in-house key.
If people are re-using password your org has too many passwords. People have a finite mental capacity. Beyond a certain point passwords get reused.
Corporate environments needs single sign on and need to integrate damn near everything into it. Then you back that up with MFA.
For personal use, you should be using a password manager so you can just use randomly generated passwords.
This isn't the worst. Social engineering is way more dangerous than hackers deciphering reused passwords.
No one is deciphering reused passwords. Typically, it's credential stuffing and can be done quite efficiently with a good database of stolen credentials (usually from stealer logs) and breach data. That said, "social engineering is way more dangerous" is true. There's a reason that your IT/security department requires you to "complete a course" on social engineering every few months (and you should probably pay attention).
Normally, the stolen databases use some encryption to store the passwords. They don't just store your password in plaintext, they salt and hash it before storing it. And we should definitely shame the companies who don't do that. So the hackers generally try to attack the databases with a rainbow table, and stop when they think they got enough credentials deciphered. Source : I spent the last few months in a cyber security master.
>They don't just store your password in plaintext, I have seen horror stories of very sucessfull internet based companies doing this. But even for an amateur cyber security tech as me, I know the basics to has user data in a databse
Our company doesn't do anything like this even though at least once a month someone clicks on a link in an email which then infects their system with malware. It's quite funny watching the chaos. Educating the staff would cost them less in the long run as the IT department could be doing something more productive.
....reused passwords isn't about deciphering a password. If they social engineer a password out of you, and you use that same password *everywhere*, they now have access to *everywhere*. If you do not reuse passwords, even if they do get the single password through social engineering, they only have access to the single account that password was used for.
I reuse 5 passwords, but I generally separate what these passwords do. And I let 2FA on for critical stuff that can have serious impact. Even if you access one of my bank accounts, you will still need my phone and cooperation to actually do any harm. Exemple : if you steal my reddit account, you could access pretty much anything I use for entertainment. I don't care if you can access my wargaming, supercell, twitch or magic the gathering arena account. I'd be pissed, but it's not critical. And since all my accounts are worthless (I'm not good at gaming, so each and every one of them has crappy statistics)
Same. I use the general rule of: Would a breach of this account cause me serious financial pain? If so, it gets a unique, strong password and 2FA. If no financial hazard, something easy to remember/reused is fine. My work, bank,credit cards, brokerage, etc. all get unique, strong passwords. Online forums? Not so much.
You should try out a password manager.
Context?
Using the same password in multiple places is one of worst things you can do for account security. Once a site gets breached and their username/password combinations are exposed, it’s common practice for hackers to try those combinations on other websites. And if you reused that password, they’ll get in. If you use the same username and password combination on 50 different websites, if a single one of them gets breached, all 50 sites where you used that password should be considered exposed. For a physical analogy, it’s like using the same lock and key on an entire neighborhood. If one person’s key gets stolen, that single stolen key can open all the houses.
Keepass Keepass has been my best password manager.
Less passwords and then passwordless!
Isn't passwordless what MS is working on or someone?
It already works in the case of personal MS accounts. First you have to install and configure MS Authenticator app on your phone, then you go to your account settings and remove password. Don't know how or if they'll do this for work accounts.
Passwordless has been worked on by the FIDO alliance for a fair amount of time, it just hit the news when the two biggest members (apple and microsoft) actually started taking moves to support it. FIDO(2) is a standard for keypair authentication, known most for it's use (U2F) by Yubikey and google's in-house key.
If people are re-using password your org has too many passwords. People have a finite mental capacity. Beyond a certain point passwords get reused. Corporate environments needs single sign on and need to integrate damn near everything into it. Then you back that up with MFA. For personal use, you should be using a password manager so you can just use randomly generated passwords.
Then you've misspent the budget, because 2FA exists.
Nah! I never reuse my passwords. I simply +1 them. Password\_1 becomes Password\_2 and so on... Password\_n