Nathan Wenzler from Tenable outlined tips for reducing password security vulnerabilities.
The way content is watched has shifted rapidly over the past few years that it’s hard to imagine the times before over-the-top (OTT) media services were available. With instant access to on-demand television shows, movies, documentaries and other content, consumers can choose to subscribe to the various platforms that offer the best content based on their preferences, limited only by a monthly fee for their user account.
However, at the intersection of cost and convenience, we’ve seen consumers engage in a longstanding practice of sharing their credentials for these OTT platforms with others in their household, families or friend circles, so that more people can access the service without having to individually pay for their own subscriptions.
After Netflix recently announced they would be cracking down on password sharing between multiple people and/or households, the response from consumers was swift and less than favourable. While the right and wrong of both sides of this argument lies within the realm of corporate business function and how they engage with and foster positive relationships with their customers, let’s address a more subtle risk that’s staring us in the face: sharing passwords with others – anyone – is increasing the risk of identity theft, financial fraud and even reputation risk for the owner of the account. We all want to help the people around us, and on the surface, sharing passwords seems like a simple and insignificant way to give someone access to entertainment they wouldn’t normally have.
But the risk involved isn’t generally taken into account, and perhaps a newfound awareness around this risk will become the silver lining for consumers within Netflix’s announcement.
You may be asking, “What’s the big deal?” about sharing passwords for my OTT service. It’s a reasonable question if we look at only what’s available on those services. Are we really worried about friends and family watching TV and movies? That doesn’t sound like that big of a deal, and in and of itself, it really isn’t. But when we step outside of the OTT platform and look at how our internet-connected world is entwined in everything we do online, there’s a lot more potential for trouble.
Commonly, consumers tend to use simple passwords and will repeat using them across many of their online accounts. In fact, research from Proofpoint found 42 per cent of working Australians use the same password across multiple accounts. It’s easier to remember, shorter to type and generally more convenient to just use a short, sweet and simple password for everything.
Cyber criminals are aware of this and if they can find a password on one site, they know it’s highly likely it’ll work on other accounts, too. In other words, if a cyber criminal were to get the password for your Netflix account, they may now also have access to your banking accounts, shopping services, email and much more, if you’re using that password across all your accounts.
Worse still, if malware gets installed on one of your devices, those pieces of malicious software can also try to steal your password for those services and relay them back to a criminal actor.
It’s a real problem, and one that we must take steps to prevent where possible. When we share our passwords with others, we expand the potential number of targets a cyber criminal has to try and find that password. If successful, a consumer’s extended network of friends’ and families’ systems are now potential targets that, if compromised, would cause credentials to be stolen and used for any and all services that leverage that account. The risk is exponentially increased due to a much larger attack surface for cyber criminals. More convenient and less expensive? Certainly.
But the potential for problems in the long term goes up dramatically the more people are aware of someone’s usernames and passwords.
So, remember a few important tips:
- Always use a complex password with upper and lower case, symbols and numbers.
- Do not reuse a password on another site. Ever. Leverage a password manager to help manage and maintain lengthy passwords for all accounts.
- As friendly as it may seem, do not share passwords with others. The increase in risk of fraud, identity theft and more only grows when passwords are shared.
- If a service offers multi-factor authentication (MFA) functionality, use it. It’s an extra step which prompts the user to enter a code generated by a tool on a phone or gets sent via text. It adds a significant layer of protection from criminal actors who may have a password through a data breach. They won’t be able to use it on sites where you’re using MFA.
While slightly less convenient, refraining from sharing passwords is a better step toward protecting online identities and everything that's associated with it. Consumers will be impacted by the monthly subscription cost, but at least they'll be taking a step toward preventing far greater impact from identity theft and fraud.
Nathan Wenzler is the chief security strategist at Tenable.