Password Reuse

As soon as I got to the office this morning I read a blog post about Starwood Preferred guests getting their passwords hijacked by scammers.   Using a tool found on a known malicious site, the tool attempts to login to Starwood accounts, then transfer the points balance to another Starwood account.  The scammers can also sell access to these confirmed Starwood accounts.  70,000 Starwood points sells for $3, for example.  They are using these tools on other sites too, this was just one that was mentioned. The tool uses usernames and passwords stolen from other data breaches.  The tool works because many people use the same username and password across multiple sites.  Websites usually have our email as a username so they just need the password, they then test against passwords associated with that email address and bullseye, access to your account.  This is called Password Reuse and attackers know that most people are predictable.

This post is not meant to send a message saying change your password, or use different passwords for multiple sites, like you always hear on the news after a breach occurs.  I think everyone knows that but human nature is to keep things easy.  It occurred to me that this password reuse problem is likely more prevalent in sites that we frequent and login to often.  Banks, travel rewards, kids' school sites, Amazon, etc.  We like it easy so if we can make things quick and simple we most likely will.

Further, I believe that this problem is being fueled by the rise in Apps on our mobile devices.  Having quick and easy access to your bank, Amazon, and stocks on our phones makes things very quick and easy.  So the need for a password we can remember is escalated even more.  I can buy a book on Amazon while walking around Barnes and Noble with my kids and I can trade stocks while waiting on my drink at Starbucks.  Using a password I know easily and can type on the phone quickly makes things even quicker.  Password tools such as Last Pass only add to the complexity for many users so they go unused.  It requires an extra step most people are not willing to take, so people being people we continue this predictable behavior allowing tools that rely on this password reuse to work.  These scammers are counting on one thing, people will be people and people are a creature of habit.

The day will come when scammers will have to answer for their actions.  But until then, they will continue to exploit our weaknesses and cause us more stress.