How to Keep a Password from Being a Prime Target for Cyber Criminals
By Frank J. Ohlhorst
It is no secret that passwords have become something of a commodity around the dark web. After all, cybercriminals have begun to trade in passwords, selling lists of user accounts with passwords for bitcoins and other cryptocurrencies. In a perfect world, passwords would have no tangible value, since they should be frequently changed and unique to each authentication system. Nevertheless, human nature often interferes with commonsense, and users fail to follow best practices and thus create the potential for compromises to take place.
For example, many users fail to frequently change their passwords, and a majority of people use the same credentials (account name and password) across numerous systems. That means if a cybercriminal mines a user’s password from a web account, such as Yahoo mail, eBay, or some other service, that account information may be used to gain access to other systems. It is that potential that drives cyber criminals, hackers, and crackers to seek out new ways to collect passwords, of which there are many.
Some cyber criminals will turn to poorly protected sites to steal passwords by gaining access to user account databases. Others may turn to spyware to try to intercept passwords, or even simple technologies such as key-loggers, which serendipitously capture passwords as they are typed by end users. There are countless ways that cybercriminals collect passwords, and countless ways to stop them. Yet one thing seems certain -- password theft will remain an issue for some time, and that squarely makes the protection of passwords an authentication challenge.
Add to that the rise of AI powered hacking systems, and an exponential increase in phishing attacks, and it becomes obvious that it will take more than just adding a captcha to a logon screen to end attacks based upon stolen credentials. So where exactly does this leave those looking to protect IT systems today?
It all comes down to focusing on alternatives to passwords. For example, MFA (Multi Factor Authentication) shows big promise in an immediate time frame. MFA supplements the username/password authentication challenge by adding an additional element. In many cases, MFA looks to combine something you know (name and password) with something you possess (such as a secret code transmitted to your smartphone or a random number generator on a key fob).
Yet many network administrators are afraid of the additional complexity that MFA may bring, as well as the increased need for support. In other words, MFA may lead to increased help desk calls and integration challenges. However, the benefits far outweigh the negatives. For example the time it takes to resolve a security issue, and the costs associated with lost data, far outweighs the implications of deploying and supporting MFA. What’s more, thanks to web-based technologies, MFA has become surprisingly simple to implement and support - meaning that avoiding just one password compromise makes the move to MFA well worthwhile.
Case in point is Kaseya AuthAnvil, which brings full MFA to fruition using easily integrated technologies, which also offer the benefit of supporting single sign-on (SSO) and user management, both of which should quell any concerns of increased help desk activity.
SImply put, the age of the simple user/password challenge is ending, and as cyber criminals become craftier, more problems associated with password and data theft are sure to arise.