The Authentication Problem: Rethinking Passwords
Human nature and common-sense dictates that this level of password reuse bleeds into the corporate environment, placing not just personal but corporate accounts – and therefore corporate data- at risk.
Passwords are not a good solution to authentication problems, and recent research conducted with our Infosec colleagues supports this. In this article, Dan Conrad, security and management team lead at One Identity, explores why this is and what needs to change to make us all safer!
That passwords are not a textbook solution to the problem of authentication is not a new concept. A combination of human error, social engineering and increasingly sophisticated obfuscation techniques has meant that for years now, passwords have been viewed as a significant problem for organizations hoping to safely and frictionlessly authenticate. Verizon has gone as far as to state that 80% of hacking-related breaches are “linked to passwords.”
This is unsurprising when considering the current state of play for password reuse; 72% of people reuse passwords for their personal accounts, according to Comparitech. Human nature and common-sense dictates that this level of password reuse bleeds into the corporate environment, placing not just personal but corporate accounts – and therefore corporate data- at risk.
See More: Managing Cybersecurity Needs When Talent Is Scarce and Alerts Are in Overload
Passwords in 2022: Reuse Still Rife
However, each new data set continues to reaffirm the problem. One Identity’s recently conducted study at InfoSecurity Europe 2022 was one such study. 55% of the security staff surveyed suggested that Users sharing or re-using passwords for admin tasks was the biggest security threat. For an industry unusually familiar with apocalyptic pronunciations, this is particularly damning – but it is something I would echo.
This, in essence, is the reason why PAM (Privileged access management) tools started in the first place; If you have 25 people who have the root password to a basic piece of business software, such as an HR program, and those people begin sharing those credentials, there is essentially no way to keep track of who has access to them. If you have a high-risk credential that you are sharing with anyone, you have a security problem.
When it comes to an individual’s credentials, the issue is similar. Every individual account you own is an attack surface environment that carries risk. It’s worth remembering that even corporations have been caught out in the past, creating security issues that would have affected even the strongest password; GoDaddy’s 2021 breach and Facebook’s Plain Text password woes from 2019 are examples of situations where passwords were breached in their millions, making them as vulnerable as any other data set when not properly protected. So even if you have the strongest password in the world, using it for every single account you have means that if one account is compromised, they are all compromised.
To Tier or Not to Tier
This brings us to another issue raised by the survey; that of tiering passwords. Over 94% of individuals who responded to our survey at InfoSecurity Europe indicated that they had ‘tiered’ their passwords, by adding a specific layer of complexity on top of the password, based on the level of importance. For example, a banking password is considered a ‘top tier’ password.
While this might seem sensible, it fails at one basic principle: human ability. Dashlane has stated that the average adult has 200 online accounts, most of which will require passwords. Even with tiering, this is an impossible number of passwords for any normal individual to remember. What’s more, in today’s ever-more interconnected online ecosystem and the prevalence and ingenuity of social engineering, one seemingly less critical account can be the key to the kingdom: Fundamentally, the credential used in all these accounts is a control against risk. If you use the password again, you weaken that control. The more unique in every sense, the stronger the control is. A weak social media control could undo even a strong banking control.
Another critical point to make is that the offensive actors can work a lot faster at cracking passwords than the average individual can think of them; they will use automated software if they are trying to break into an account, typing common passwords – Football teams, seasons, months, etc. – at a rate that an individual could only dream of. At the more sophisticated end of the cybercrime spectrum, we are not up against an individual trying to guess a password but an organized and automated criminal network.
Appropriate Effort, Inappropriate Format
The appropriate intention of users who tier their passwords should be commended but could be better undertaken by using a password manager. There still seems to exist a general level of mistrust in password managers; Users retain and internalize the very valid concern, given the prevalence of data breaches, that putting all their passwords in one place is unwise. However, this intellectual gap to bridge is on the password managers themselves, who need to educate the public better that their passwords will be created inherently unique and complex, and then stored in an encrypted back end, which they often do not even have the key to decrypt. Strong passwords are essential but realizing the limits of how people can achieve this is key.
The Positives: A Slow-burn Revolution
This survey did also provide us with some good news, however. In this regard, 66% of people said they also already did use password managers to deal with their online accounts, and almost all had been mandated to use an MFA system across their corporate accounts.
What this says is that while passwords continue to wreak havoc, businesses have begun to understand that their ‘crown jewels’ – the exits and entrances to their corporate networks – still need to be protected with tools that far outweigh the password in terms of complexity, and difficulty for threat actors to crack (or for employees to compromise with bad habits). It also shows that (at the very least within the Information security community we surveyed) people are starting to realize their limitations when setting passwords and are using password managers to offset this limitation and mitigate the associated risk.
This indicates that while there is still work to be done on educating individuals on proper authentication practices, people are aware that it is something to be conscious of. Passwords are not perfect, but until passwordless becomes a constant reality in the not-too-distant future, these forms of damage limitation will be all the more critical.
How are you rethinking password protection and cybersecurity? Share with us on Facebook, Twitter, and LinkedIn. We’d love to hear your ideas!
MORE ON AUTHENTICATION
