The message of World Password Day was to “layer up” by adding multi-factor authentication (MFA) to traditional passwords. But in many ways, this is missing the point: we should be migrating from passwords altogether.
At the start of May the internet went into virtual meltdown after Twitter recommended all of its users reset their passwords. On this occasion, a bug caused the social network to accidentally store passwords in plain text on an internal server, instead of hashing them.
While there is no evidence of these unprotected passwords being discovered or misused by hackers, this isn’t to say these credentials haven’t found themselves onto the Dark Web. By continuing to support an outdated, insecure, and ineffective authentication paradigm, organisations everywhere are exposing themselves and their customers to wholly preventable cyber-risk.
The Twitter revelations broke, ironically enough, on World Password Day — an event which itself is symptomatic of our failure to upgrade and move on. Isn’t it time we consigned passwords once and for all to the dustbin of history? Far more secure and effective alternatives already exist to protect your data and reputation and preserve customer trust. Twitter offers two-factor authentication but is a prime example of companies not enforcing this level of security as a standard and why it remains under-utilised.
A digital relic
Bill Gates famously predicted the death of the password all the way back in 2004. He claimed the traditional username-password combination could not “meet the challenge” of keeping critical systems secure. Fast forward 14 years and little has changed, aside from the fact that far more secure and robust methods of authenticating users now exist and are widely available.
The Twitter incident illustrates perfectly the problems we currently face as an industry. It’s believed an internal bug led to passwords being stored unencrypted in an internal log. No-one is thought to have accessed these illegally, but the firm recommended a reset “out of an abundance of caution”. It could have saved itself and its users a lot of pain and worry by migrating them all to newer authentication systems.
Passwords are a relic from an age in which the sun has long since set. The bottom line is that they can be quite easily cracked, hacked and guessed today to compromise not only your customers but also internal accounts. While the former is concerning, the latter could have devastating consequences if hackers manage to infiltrate corporate systems and gain access to sensitive IP and customer data.
The weakest link
Users will always be your weakest link. With so many passwords to remember across numerous business and personal online accounts, the default setting is to reuse multiple credentials across multiple accounts, and to make them as easy as possible to remember. A recently discovered dark web trove of 1.4 billion breached passwords found the most popular choice was “123456”, used over 9.2 million times. Second place? Well, that went to “123456789”, which was used more than 3.1m times.
If they don’t try to guess your users’ credentials, online attackers could use dark web intelligence collected from previous breaches to crack accounts, trying hundreds of passwords and combinations per minute to gain access. Password reuse remains a major problem and is a hacker’s dream. Once leaked from an insecure site, a user’s credentials can be bought online and then reused elsewhere. More targeted attacks use spear-phishing techniques to simply trick privileged users into handing over their log-ins, thinking they’re accessing an official portal or site.
Too big to ignore
Once inside, attackers could pivot to customer databases or stores of sensitive IP. Some of the biggest and most damaging breaches of recent times started with a compromised password. US retailer Target (110 million customers), the Office of Personnel Management (21.5 million federal employees) and Uber (57 million users) are just a few.
Identity fraud is on the rise and consumers are increasingly holding the organisations they do business with to account.
Time to switch
The message of World Password Day this year was to “layer up” by adding multi-factor authentication (MFA) to traditional passwords. But in many ways, this is missing the point: we should be migrating from passwords altogether. To do otherwise is confusing for users and can lead to gaps in implementation which will still leave organisations exposed. After all, how many users had Twitter’s voluntary two-factor authentication switched on?
At its heart, MFA offers an improvement on traditional passwords because it features two or three elements: something you have, like a smart card or smartphone; something you know like a PIN; and often something you are, like a fingerprint or other biometric. Cracking, hacking or guessing a password is relatively easy, but for an attacker to impersonate a legitimate user in this new scenario requires them to have the PIN plus physical item and possibly even the user’s face or hand.
The challenge is getting organisations to make the leap to more robust authentication, and educating consumers on how to use the new technology. Passwords have been with us for so long it seems impossible to imagine a world without them. But that’s what we need to do if we genuinely want to improve cyber-security. Maybe a good place to start would be to rename World Password Day, World MFA Day.
Contributed by Allen Storey, chief product officer at digital identity expert Intercede.
This article originally appeared at scmagazineuk.com