This behavior is incredibly risky because hackers know that we are creatures of habit. Once I’ve discovered that “Chapple4ever!” meets the requirements of most websites and is easy for me to remember, I’m inclined to use it on every new site that I visit. The problem is that hackers can take advantage of this knowledge and reuse stolen password files from weakly secured sites to attempt logins on more sensitive sites.
The most likely scenario in the case of Disney+ is that hackers were waiting for the service to launch, knowing that accounts would be a hot commodity. They likely prepared themselves by compiling lists of previously compromised usernames and passwords. As soon as Disney+ launched, it’s possible they ran automated programs that tested each of those accounts on the site and discovered that thousands of people who registered on the first day reused their comfortable (but compromised!) passwords.
While most security breaches require cybersecurity investments by the company targeted in the breach, responsibility in this case rests primarily on the shoulders of Disney+ customers. The days of safely reusing passwords on multiple sites are over. We must assume that any password we use online will be compromised and avoid using it anywhere else. We should employ long, complex and unique passwords on every website that we visit.
Once you’ve set up a password manager, take things a step further and enable two-factor authentication to further improve the security of your accounts. Requiring the acknowledgement of logins on your smartphone prevents someone who stole your password from using it to access your accounts. It’s a good idea to set this up for other sensitive accounts, such as those that store your financial and health records, as well.
Businesses aren’t completely off the hook
While individuals bear the most responsibility for fixing the problem of password reuse, businesses can also take steps to enhance password security. This begins at the time that a user creates a new account. The same password lists used by attackers are also available to cybersecurity teams. If a user attempts to create an account using a password that was already compromised on another site, businesses should not only require a different password, but also notify the user that their account was compromised elsewhere.
In addition, website owners should watch for signs of malicious activity and automatically block suspicious login attempts. It’s normal for someone to mistype their email address or password and attempt to log into a service incorrectly a couple of times. It’s not normal for someone to attempt to log in with hundreds of different accounts. Modern intrusion prevention technology is more than capable of frustrating these brute force attacks and at least slowing attackers down.
Password reuse is a pervasive problem that threatens to undermine the security of both individuals and websites. It’s also a personal problem and depends upon each one of us to practice good password hygiene.