The 5 Most Common Failings of Password Security and How To Avoid Them
Here's the deal: when it comes to identity assurance, password-based security is one of the worst forms of user authentication.
Don't get me wrong: the creation of the password was a huge boon for productivity, and this has continued to be the case as the password became more ubiquitous as the go-to form of user authentication; However, with modern technology like two factor authentication and single sign on, it's about time we acknowledge some of the major failings of password so that we can move towards a more secure and productive solution.
Here are the 5 most common failings of password security:
Passwords can be shared
The very nature of passwords makes it easy to share. There is no way to tie the user to the password, which means anyone can use that credential and pretend to be someone they are not. And there are literally thousands of news stories about how this is taken advantage of to provide incentive and financial gains to end-users.
One such example is in the scandal that rocked the banking world in January of 2008. French bank “Societe Generale” revealed that a single insider had produced losses in excess of $7.2 billion through fraudulent trades. He was able to use passwords belonging to colleagues to hide transactions and create false accounts to bypass monitoring safeguards that the bank had in place.
Another example of just how easy it is to share passwords comes from a survey4 by Infosecurity Europe (www.infosec.co.uk) who found over 70% of the office workers were prepared to give away their password to strangers masquerading as market researches with the lure of a chocolate bar as an incentive for filling in the survey. Another slightly worrying fact discovered by researchers is that over half of people questioned use the same password for everything (e.g. work, banking, web, etc.)
There was something more worrisome found through previous Infosecurity surveys though... two thirds of workers admitted to have given their password to a colleague and three quarters said they knew their coworkers passwords!
Passwords can be stolen
In this day and age, the threat landscape that makes up the Internet shows us that it is hard to defend against the villainy of the unknown. The viruses, vandals and thieves that now exist make it extremely difficult to trust websites, applications and even email, whether you believe it comes from a trusted source or not. The number of hostile systems and programs continues to grow as cyber-criminals and pranksters deliver more intelligent malware to attack systems and steal valuable information.
It’s easy to dismiss this kind of threat as more imagined than real, but consider that in April of 2008, around 20,000 corporate executives received phishing emails that purported to be a subpoena. The emails seemed authentic because they addressed the execs by name and included their phone numbers, as reported by the Washington Post. By clicking on the link in the email and following the directions supposedly required to view the subpoena, the executives installed software on their computers that could then steal usernames and passwords. So far, the scam has netted over 2,000 victims, according to the Post.
Passwords can be easily guessed
On average, the human brain can hold only four to nine "random bits of information" in short-term memory. Considering this and the sheer number of secrets a person needs to remember in this password-protected age, it is not surprising that the most common password is simply "password."
Besides serving as an easy-to-remember code for less-creative computer users, "password" is often used as the default password for many web sites and software applications, making it extremely common and not at all secure. In other words, "password" is a bad password. With more complex password policies now being enforced, the most popular password as of late is “password1”. Doesn’t seem that we learn much.
Other perennial favorites include "God," "sex," "money," and "love." Passwords based on the names or birthdays of partners, children, or pets are also quite common. And so are passwords that refer to the system or website in question. As an example, in a recent analysis of the 360 million Adobe accounts that were breached, three of the most popular passwords used were “123456”, "123456789" and “password”.
As we use more online services and access more privileged systems that require passwords, the worse it becomes. It turns out to be much easier to use a common password across multiple systems, or use passwords that may be easy for an attacker (or computer) to guess, knowing only a small amount of information about the target.
Passwords can be cracked
If there is one thing that computers do well, it is completing mundane tasks over and over again without complaint, or tire. Computers can complete millions of computations a second, making it straightforward to process information in way we humans can’t. In its common form, “password cracking” is done when a computer tries to repeatedly guess a password. Over the years, there has been plenty of software applications released that you can download for free that allow you to “brute force” your way to get someone else’s account.
As passwords become more complex, the task to attack them does also. To keep up with this trend, attackers have come out with methods to pre-compute the values to compare against, speeding up the time to break weaker passwords if they can get access to the password information on a system. In one study, it was found in an analysis of 200 corporate accounts that the passwords had an average length of less than 8 characters with only alpha-numeric representation. This means it would take even LESS than 8 hours to crack these passwords with a standard computer.
Passwords can be hard to manage
The difficulty for users to manage password credentials as businesses become more connected has caused the introduction of weaker passwords that are easy to collect or circumvent. Industry studies show that the average user has to remember 20 or more different passwords for the various systems and applications that they use each day.
Typically these users will try to keep the same easy to remember password across multiple systems. When that is not possible, many times they write their passwords down where they are easy to find, such as on yellow sticky notes which they leave near their computer. Further to this, the usage of hostile malware such as keystroke loggers and other data mining applications allow adversaries to easily collect these passwords to gain remote access to multiple systems in the business and ultimately gain access to protected resources and privileged information.
So what can we do?
It's pretty clear that passwords are here to stay for the foreseeable future. The mission of any company dealing with password security, AuthAnvil included, is to develop ways to take the unsecure password and make it much more effective at establishing the identity of a user in a secure way; all while making sure the end user won't have to jump through hoops so their systems will believe they are who they say they are.
Identity is the foundation of trust. Without the confidence in knowing who is using a particular credential, you simply cannot rely on passwords to access confidential information if you need to be sure who is viewing and updating the data. Being able to prove the identity of someone when they try to login to access information reduces this risk and provides greater assurance that they are indeed the intended party.
There are many different ways to attain identity assurance, with varying levels of trust. One of the most efficient and cost-effective ways is to provide another factor of authentication that binds the transaction together with the user. This is more commonly called two-factor authentication.
Two-Factor Authentication (2FA) is the process where an identity is validated with two distinct and different pieces of information in the form of:
- Something you have – a physical device of some kind. This could be a security token, a smartcard or even a simple key.
- Something you know – a secret that only the user knows, such as a personal PIN
We can see 2FA used all around us. Some examples include long distance phone cards and physical door access systems to financial transactions completed at an ATM at our local bank.
The fact you have something (like a bank card), and know something (like your 4 digit PIN), gives enough assurance that the person using the credential is indeed the intended party.
How Password Management Software Helps
A robust password management software system will incorporate all of the things you come to expect from password management (access controls, auditing, hashing, etc.), but will also incorporate multi-factor authentication (MFA) and single sign-on (SSO).
MFA and SSO are essential. These two aspects, working together, allow you to create super strong password (e.g. "Qn<,,C&fr-i3B?|") for all of the systems that end users access. It achieves this by ensuring that end users don't actually have to remember those passwords or write them down somewhere. The way it works is that all of those hard-to-remember, hard-to-guess, and hard-to-crack passwords are stored in a password server.
The end user access those passwords through an SSO portal that allows them to log into all of their systems with a click of a button (the system automatically inputs the complex passwords and logs them in). The way they access that portal is through multi-factor authentication, that requires the following information:
- A username such as an email address
- A one-time passcode (OTP) that is composed of a pin number they choose, and a unique string of numbers automatically generated by a desktop or mobile app each time they log into the portal.
Because the one time passcode relies on a unique number, every time they log into the portal, they are technically using a brand new password. This means that not can it not be cracked, but even keyloggers will be completely useless.
The best part? It's even easier than simply relying on passwords. With the SSO portal, you log into the portal once, and then you can access all of your other systems at a click, no log in required; so, instead of logging into 20 different systems, you log into one system (the portal) through an incredibly secure method.
Now that's how identity assurance should be.
Want to learn more about AuthAnvil and how it simplifies super strong password security? Download our free guide below.