For years security folk have been preaching that users should never share the same password across multiple web sites – at online banking sites, Amazon, Ebay, Facebook, Twitter or on their Hotmail account. Apparently, most people ignore that advice.
There have been a number of studies done recently, but a new study by security firm Trusteer found that 73 percent of Web users take their online banking password and use it at other Web sites.
Clearly, this is BAD, what are you doing people!
It exposes those users to attacks that would otherwise be impossible. When people use the same password across multiple sites, hacking becomes a lot easier. If a hacker breaks into a smaller Web site – say a site created by a local online retailer – and grabs a cache of passwords, their next step is always to attack the major banking Web sites. When you consider majority of Australian consumers use any of the big 4, the odds are clearly starting to stack up in favour of the hackers.
Password overlap also creates an easy end run around sophisticated banking security technology, which is only as strong as the weakest site where the password is used. Banks might enforce strong password creation requirements, for example. But if a consumer uses a bank password it at a poorly defended small site, a hacker can break into the small site, steal the log-in information and essentially crack the bank’s systems.
Last year, analyst firm Gartner released a survey that reported similar results. It said two-thirds of consumers use the same one or two passwords across all Web sites they access.
But Avivah Litan, who directed the Gartner survey, said that choice might not be as unreasonable – or as unsafe – as it seems.
“They are making a choice for convenience over security,” she said. “They are using a cost-benefit equation … and they don’t want to try to remember 10 different passwords for everything they do. They don’t think the trade-off is worth it, honestly.”
While password sharing isn’t a safe practice complicating your life with multiple passwords isn’t exactly making it any easier. Using multiple passwords is a good idea, but said it is important for consumers to understand the risks that remain even if strong passwords are used.
The larger banks don’t rely on simple user/password combinations to identify users anymore. Numerous technologies are used including SMS passwords and key tokens. Your banking passwords should be handled with great care, and shouldn’t be shared with other Web sites.
Many online companies that store your critical personal information do not use best-of-breed security on their back end – meaning you are still at risk. A criminal who stole your Facebook credentials could easily wreak havoc with your life, so protect those accounts, too.
The vast majority of people will never create unique passwords for all their sites but a more practical goal perhaps is maintaining three “families” of passwords – one for critical financial sites, a second for sites that store your personal information, and a third for generic log-ins.
And clearly you don’t want to mix those passwords!!