Personal Passwords At Work

Although big companies such as Microsoft are trying to eradicate the need for passwords, they still secure our accounts and systems today.

Because these passwords help to secure our accounts, they are often come with a set of “rules”. Things like complexity, length, special characters and how often you need to change them.

NIST recently said that you should change your password less often and instead focus on creating a secure password. If you create a strong password which is lengthy and complex, you shouldn’t need to change it until it becomes comprised.

This is great but can create a recycle problem. A user may use the same password across multiple accounts as they deem it to be “safe”. Reusing passwords is advised against on a personal level but when this crosses over to your workplace, the risk becomes shared.

The reason being that ‘security is in the eye of the beholder’.

Say you come up with a secure password for your work account, something like: EggsandBeans4.Dinner!

Your company has all of these controls in place to keep that password secure. They chuck “heeps” of money at security to ensure that no unauthorised access is granted to the network/systems and that all their data is secure. They also have the capability to alert and protect against any brute force attempts (Someone guessing your password).

In your personal time, you signup for a online shopping account with the same password you use for work. This company has none of the security your company has. You use your personal email address. You use this email address for your social media accounts such as Facebook and LinkedIn. This is pretty standard as you wouldn’t create a new email address for say Facebook and another for Twitter.

Suddenly that shopping company has a breach and their users credentials are stolen. This includes yours. Now the company “should” inform you of the breach but what if they didn’t? could you say that you have ever checked or have signed up to https://haveibeenpwned.com/ ?

The hacker behind the breach will most likely publish or sell your credentials online.
Let’s say the credentials that were stolen are:

JBarry23@gmail.com
EggsandBeans4.Dinner!

Another malicious party stumbles across these credentials and tries to login to popular sites. They get a few successes and you end up having to deal with the headache. You have to resolve the issue yourself because these are personal accounts.

What if someone else finds the same credentials and wants to catch bigger fish? They do some OSINT on your email account and find a few results.

They find your LinkedIn page and notice you work for a big technology provider called ‘GoodChips ltd’. Now, at this point they know nothing about the company or anything to do with your work account.

So how would they get this information? Lets run through some examples:

• It may be as simple as on your LinkedIn page.
• They use Google Dorks and find an email list.
• You’ve signed up for a service with the account and they find the link.

Either one of these are pretty common. Company email addresses can be quite easy to find nowadays thanks to the companies responsibility to help people.

Most companies will have a “contact us” page. Companies normally have a helpline or email address which customers can use to get help. A malicious party could contact this email address and start using social engineering to gain insight.

I’ll give you an example. I recently enquired about a course by emailing the contact@company.com email address. Within an hour I had a reply with two people listed in the CC field. One of those happened to be a manager. From the CC’d users I noticed that the company follows the pattern: ‘firstname.surname@companyname.com‘.

This is very common and can probably be guessed.

To an attacker this is useful information and allows them to start building a profile. Since they know the email address pattern, they can go through sites like LinkedIn and start creating an email list with at least an 60% success rate.

Circling back… Now if the attacker used this technique against our example, they would know the following:

Shopping Account:
JBarry23@gmail.com
EggsandBeans4.Dinner!

Company Account:
Email: John.Barry@Goodchips.com (relationship linked using OSINT)
Known User Password: EggsandBeans4.Dinner!

This information alone could be tested against cloud services such as O365, Gmail or Onedrive. Basically anything that identifies the users based on their email address. If the credentials are right, they will either be prompted with MFA or successfully login. There are ways around 2FA however just getting the prompt confirms the credentials are correct and can therefore be sold/shared online.

If the malicious party did manage to login with your credentials, this wouldn’t necessary flag on your companies system. A successful login isn’t classed as a threat and unless the company has some sort of location based detection they may not be aware of the breach.

There is a lot more an attacker can do to obtain even more information.

Hopefully you can now see the risk of reusing passwords for personal or work accounts. This benefits both parties and keeps both sides safe. Remember the link from work to your personal life can be just as easy to find.

If you want to check if your account has been breached already, there are lots of tools out there that can help. HaveIBeenPwned is a good start.

I know in some cases, people will reuse passwords because “meh”. What I would strongly suggest is that you defiantly don’t follow this pattern with you email account. Here is why….

Facebook and Instagram, fine, if you have to but never your email account.