Cyber Hygiene and Password Reuse
By Chris Nims, CISO and Paranoid in Chief
Cyber hygiene is always critical, but it's Cybersecurity Awareness Month, so it's an appropriate time to remind everyone what we can collectively be doing to stay secure. We, at Oath, play a role, as do each of our users, individually.
More and more of our lives utilize a logged in experience leaving us with a growing list of things to keep track of to help keep our digital lives secure--knowing how to identify phish emails, keeping all of your devices patched, paying attention to whether or not we're on a secure wifi network to name a few. And one study shows how this checklist can multiply when accounting for the various types of accounts we keep today, spanning banking, health, utilities, email and more. I know I have hundreds!
So, not surprisingly, the last thing a user wants to deal with is passwords. As humans, we tend to be creatures of habit. One bad habit we tend to have is reuse of the same password across many different accounts. Yes, passwords are annoying things, but it's important to treat them seriously because they can be simple to bypass and too easily forgotten.
We try to make life easier for as many of our users as possible. For example, Yahoo users can utilize Yahoo Account Key in lieu of using and needing to remember a password. That's right, you can ditch the password kerfuffle altogether and embrace the no password life! For services that don't offer an alternative to passwords, a password manager is a good option as they help promote using a unique and strong password for each online account.
We're doing our part too. Unlike your doctor saying that you need to cut back on the burgers because your cholesterol is high, the Paranoids--our global security team--are doing some of the dieting for you when it comes to those bad password reuse habits. And let's be honest, every one of us has reused a password.
To help reduce the risk from this bad habit, we engage in what we call third party account remediation. The internet is rife with data dumps, typically collections of usernames and passwords. There are many sources, such as output from phishing campaigns, stolen databases from hacked companies, compromised authentication tokens, and they primarily show up in data dumps on the dark web. We proactively obtain these lists. If we see one of our users' usernames in a list, we see if the password matches the password on some of our brands, such as Yahoo and AOL. If we see a matching credential, we require that you change your password so the account can not be accessed by an adversary, and we won't let you use it again in the future.
This is a practice that we've been doing for some time. In fact, since 2016 we've processed hundreds of millions of account credentials each year from third party platforms and have seen about a 3% match rate. That means we have protected tens of millions of our users from having had their accounts compromised due to password reuse.Moral of the story: definitely take time to sign up for Yahoo Account Key. For your other sites, get a password manager to help avoid password reuse or remembering a password at all. And, unlike your doctor, know that we're working the behind the scenes as well to help mitigate those bad password habits.