Passwords are the most basic and common authentication method used to secure access to systems. But the process of using and maintaining secure passwords for numerous platforms can be quite tedious. According to Verizon`s 2020 Data Breach Investigation Report, weak, and re-used passwords resulted in 81% of data breaches. Apart from that, there are many more vulnerabilities and risks related to passwords, passwords are an increasingly unsuitable authentication option.
Three main problems with passwords
Human behavior and passwords – Many people prefer convenience over security. The usage of simple, easy-to-remember passwords, or using the same password for all different platforms is a widely common trait. Also, password sharing, and storing passwords using insecure methods are habits that largely contribute to most password attacks. It is both your personal responsibility, as well as your organization’s duty to practice proper and secure password hygiene.
Complex management – Password policies set by many organizations require employees to frequently change passwords, remember multiple complex passwords, and reset passwords when they are forgotten, all of which costs a lot of time and support resources. Many of these procedures are inefficient, inconvenient, and unrealistic for the employee when dealing with passwords. It also sets a huge burden on the IT department to resolve password-related issues. Similarly, individuals also struggle with many of the password requirements placed upon them by popular web sites and applications.
The increasing amount of password breaches – According to hackernoon, it was demonstrated that within just 20 hours, over 80% of 14 million passwords capable of being cracked. Attackers are equipped with powerful tools and procedures dedicated to compromising passwords. All compromised passwords are then published on the dark web and used for attacks such as Credential Stuffing, and Password Spraying.
Types of password attacks
Password attacks consist of an exploitation of a system authorization vulnerability through various techniques and attack tools. Threat actors automate powerful attacks, mainly targeting privileged accounts on a large scale in very little time. As a security professional, it is crucial to know some of the most popular types of attacks, and their methods of defense:
1. Social engineering and human initiated attacks.
Phishing attacks - are the most common social engineering password attacks. They use various methods to lure users to click the malicious links. Some of the best methods for avoiding phishing attacks include looking out for suspicious email headings, subjects, attachments, and links. Misspellings, and obfuscated spellings of domain names, a forged logo, as well as poorly written emails are also indicative of suspicious origins.
Eavesdropping and Shoulder surfing – Eavesdropping is the exposure of passwords through voice or by digital means. Have you ever overhead a person reciting confidential information during a cell phone conversation? While you may have not paid too much to the person, criminals take advantage of this careless behavior, and gather as much information as possible. Following proper security hygiene, as well as good phone etiquette can guard you against becoming an eavesdropping victim.
Shoulder surfing is where the attacker gains knowledge of the credentials by watching a person type a password or PIN code on a keypad. A phone thief can watch you type, or swipe your screen lock code prior to stealing your phone, which puts your data at risk. Being vigilant of those around you, and shielding your screen when you unlock your device can protect your information.
2. Password Guessing Attacks
Dictionary attacks – The usage of a predefined list of words from passwords from previous breaches. The attack tools used in dictionary attacks can add more suffixes and prefixes to the password guessing the characteristics of the target, further increasing the chance of compromising the password.
Brute-Force attacks – A trial and error approach of trying all the possible combinations of passwords. The best defense against a brute force attack is to use a long passphrase, rather than a standard password.
Password Spraying attacks – The threat actor attempts to access several accounts using the same password before trying another password. This attack doesn`t raise any suspicion since the threat actor spreads the attack across many accounts, rather than trying multiple attempts against a single account. This attack is most successful on websites and platforms where administrators fail to change default passwords.
How to prevent password attacks
Organizations are equipped to set strong security protocols and mechanisms for password management that tackles modern threats and attacks. However, individuals can also practice good password hygiene as well. According to the NIST guidelines, using a password of 8-64 characters in length with nonstandard characters and with long passphrases are recommended. Passphrases will discourage brute force attacks and they shouldn’t match entries in the password dictionary or contain personally identifiable information. Avoid reusing passwords by using password manager software and reset only if the password is compromised or forgotten.
Enabling Multifactor Authentication (MFA) is the single best protection for an account. Using passwords as a sole authentication mechanism poses a huge security risk. One-Time Passwords (OTP), hardware tokens, and authenticator apps will increase your personal security.
The future of passwords
Due to the increasing number of password-based attacks, it is likely that passwordless authentication will be used in the future. Passwordless authentication is inherently more secure because there is no password, in the traditional sense, to be compromised. The most common passwordless authentication methods are biometrics, OTP codes, push notifications, and magic links. A magic link is a method where, instead of requesting the password from the user, a unique link that enables the login is created and sent via email.
Passwords have become an outdated method of authentication that are vulnerable to many threats and attacks. Using only a password-based authentication method is now deemed less secure due to the myriad available password attacks. While organizations have special tools to enforce good authentication policies, individuals should also raise their account security. Adopting MFA and passwordless-based authentication methods is a simple, and free method to immediately secure your accounts.
About the Author:
Dilki Rathnayake is a Cybersecurity student studying for her BSc (Hons) in Cybersecurity and Digital Forensics at Kingston University. She is also skilled in Computer Network Security and Linux System Administration. She has conducted awareness programs and volunteered for communities that advocate best practices for online safety. In the meantime, she enjoys writing blog articles for Bora and exploring more about IT Security.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.