The password-reuse attack

There was news very recently about an online storage provider named Carbonite being “breached” through a password reuse attack. What might that be?

It is just as it sounds like: an attacker reusing a password that they already have. This obviously requires no technical skills. One doesn’t have to “hack” in order to do a password reuse attack.

Is this even an attack? How did the attacker gain the password in the first place? There was an actual attack by people who may have had technical skills at one point. They would have tried hacking a popular site or application (a recently publicised example: LinkedIn). They may have gotten the usernames and passwords of a large number of users if they were successful. It appears that Mark Zuckerberg’s Twitter and Pinterest accounts were accessed this way.

Given that they already had this list of credentials, they could proceed to use the username – password combination on other sites. How many people can tell that they do not use the same credentials in at least a few sites?

What can you do to prevent this?

Simple and obvious: use different passwords for different sites. Do not reuse them.

But I can’t remember so many different passwords! 

Of course you can’t. And you shouldn’t try! Use a password manager. I have written a whole bunch of articles about them. Once you start, you can safely give up on remembering a whole bunch of long and complex passwords.

Lessons from Target on password complexity
Choosing your password manager
Passwords ain’t nothing but trouble