The “death of the password” has been announced for years now, but
they’re still around. But why? Passwords are convenient and make sense to
people. With the growing use of the Internet for storing and processing
sensitive information, data security has become increasingly important, and passwords are a simple way to help
Alternatives to passwords exist, like biometric authentication and
other schemes, but they’re often either buggy (there’s at least one news story
a year about someone breaking facial or fingerprint recognition on a
smartphone) or they don’t “make sense” to the average person, so we don’t use
them. We’re trying to move away from passwords to the “next level” of account
security, but we’re just not there yet.
The State of the Password
Password usage is already massive and still growing. Pretty much
everyone uses the Internet, and most places that you want to visit on the
Internet want you to register an account with them so that they can track your
usage and have your email address on file for sending “useful deals” and other
spam. Most of these sites use passwords for security since passwords so work.
Setting up a password verification system is pretty simple and doesn’t require
the level of fine-tuning and management that biometric and other systems need.
The issue with passwords is that they’re not very secure. For
starters, there’s the issue of password reuse. You’ve probably registered
dozens of different accounts across the Internet, but how many unique passwords
do you really have? According to a survey
by LogMeIn, about 95% of people know that password reuse is a bad idea but
59% do it anyway.
And that’s not even considering the dangers associated with weak
passwords. Every year, numerous organizations publish a top ten list of the
most commonly used passwords included in data breaches, and at the top of the
list are always passwords like 123456 and qwerty. Many hackers don’t bother
with finding and exploiting zero-day vulnerabilities anymore when it’s so easy
to guess passwords or get users to click on a phishing link.
How Hackers Break Your Password
Password cracking has been around for a while now. In the
beginning, the password system itself was one of the weak points in password
security, especially on Windows systems. The design of the password management
system allowed hackers to break passwords into smaller chunks and either attack
them in real-time or build dictionaries that matched passwords to their encoded
representations stored in a computer. If a match was found, then the hacker had
his or her way in.
Since then, things have improved. Password systems are now
designed in a way that we, the humans, are the weakest link. A well-designed
and well-managed password (i.e. not taped to the underside of your keyboard or
stored in a note on your computer or smartphone) can take years to crack, and
many hackers don’t have the time or the patience for that. As a result, the
hackers primarily target the low-hanging fruit: the passwords that can be guessed.
The massive number of password breaches in recent years have given
hackers a lot of data to work with. These datasets are often for sale for very
cheap, letting hackers easily build up massive dictionaries of commonly used
passwords. Odds are, you’ve been involved in at least one known data breach,
which may or may not have included leaked password information. If you’re
lucky, it’s the encoded version, which means that the hacker has to crack it
first (how confident are you that it can’t be guessed?). If not, it’s out in
plaintext for anyone to see.
Once a hacker has a list of common passwords (or “dictionary”),
they take advantage of the fact that 59% (or more) of the population has that
bad habit of reusing passwords. They might try your email address (the most
common type of username) with all of your breached passwords against a list of
common websites (Amazon, Netflix, large banks, etc.), or they’ll try a bunch of
common passwords with your email address in hope of a match (those passwords
are called “common” for a reason). This “credential stuffing” attack may be
simple, but it works.
To make things worse, hackers are innovating to streamline the
process of breaking into your online account. A new
tool called Forge is designed to automate most of the work of password cracking,
including organizing dictionaries and managing computational resources. This
frees up the hacker to focus their efforts on spending your money or setting up
a spambot using your social media accounts.
Keeping Your Accounts Secure
Despite all of the advances in how account security can be
managed, it looks like passwords are going to stick around for a while. From a
personal perspective, it’s important to take the basic security steps of using
a password manager (with unique passwords for all accounts) and enabling
multi-factor authentication wherever it is offered.
The issues around password security also affect businesses, making a data security solution an important part of an organization’s cybersecurity plan. If you can’t trust that only legitimate employees have passwords to your critical systems, you need tools capable of monitoring user behaviour and identifying the anomalies that differentiate between an intruder on your system and an employee performing authorized actions for their job.