SplashData’s, annual review of passwords, “Worst Passwords 2015”, has identified the most commonly used passwords. The list is shameful. After over 20 years of using the Internet and over 50 years of using computer based passwords, we still see 123456 and password, as the top two password choices. Let’s face it - passwords are a pain. It’s a pain to remember them, it’s a pain to type them in, but the biggest pain is that they are just not secure on their own.

 The trouble is passwords are very convenient. You can set them yourself. You can usually recover the password, or reset it, online. And passwords are highly portable; you can use them across any device, unlike some other authentication methods, like digital certificates, or hardware-based tokens. All in all, passwords are very easy to use.

But with convenience comes a cost. The adage, “there’s no such thing as a free lunch”, is unfortunately very true in the case of passwords. This convenience is causing many security breaches and is costing businesses of all shapes and sizes financial losses, personal data theft and reputational damage.

Password Hacks

The trouble with passwords is that they can be easily hacked. The following are some of the vulnerabilities associated with passwords:

1. Passwords can be shared and even sold. If your IT network resources and external access is controlled by username/password only, then it is really easy for an employee to share their login credentials with a co-worker, who then has all of the access rights of the password owner. A report by SailPoint, which looked at how employees view passwords, found some shocking statistics. For example, they found that 20% share passwords with co-workers, 56% use their personal passwords for enterprise access and most shockingly, 1 in 7 employees admitted they would sell their password for as little as $150. Insider threat is one of the most prevalent areas of cyber security risk. The SANS Institute recently compiled a survey on insider threats which showed that at least a third, likely more, of enterprises have suffered from a known insider breach. If employees are passing around their passwords, or even selling them, then the prospect of insider threat becomes even more of a likelihood.
2. Phishing, especially spear phishing. Phishing emails, where a user is encouraged through social engineering techniques to enter a password into a spoof website, are one of the most successful and used cybercrime vectors. The SANS Institute reported that around 95% of security breaches start with a phishing email. This is born out by major breaches like Target and Office of Personal Management (OPM) both having started with a stolen password from a spear phishing email.
3. Password hacking and brute force. Passwords are vulnerable to a number of hack based attacks including brute force, where a cybercriminal uses a tool to run through all possible combinations of a password until it hits upon a match. If you were thinking here, well they’d have to guess a username too, guessing usernames is also very trivial for a hacker, as often they are simply an email address or a person’s name concatenated in some manner. Hacking a password is often even simpler than a brute force attack. For example, many applications, including modern IoT devices, come with pre-set administration usernames and passwords, which are well known and if not, easily guessed. Other applications, including directories like Active Directory, if not properly configured and protected, can be hacked using readily available tools, such as, in the case of Active Directory, DCSync, which allows you to easily obtain administrator passwords.
4. Malware threats: Malware that captures keystrokes (often called key loggers) or that can exfiltrate data, like login credentials, is a problem for password security. There was a recent attack on hotel chains in the U.S. where ‘off-the-shelf’, i.e. bought via the dark web key logging malware, was used to steal guest’s personal data, including bank login details.

How to Fix the Password Problem: Add a Factor

You’ll probably hear the words ‘password policy’ when talking to someone about improving the security of passwords. Complex password policies do go some way towards the hardening of passwords against brute force type attacks. However, there is a two-fold problem here:

1. The first is that complex policies make passwords hard to remember, so people write them down. Therein lies the first security hole in your armor. Sure, you can use a password manager, but all that does is add a single point of failure into the security you are using.
2. The second issue is that password policies don't prevent password theft carried out via a phishing email. You could have a password 200 characters in length, using numbers, capitals, and diacritic characters, but if you’re phished, or are infected with key logging malware, your login credentials will be stolen.

2FA - The Way Forward

The only real way forward is to start to use a second factor with your username/password combination. Second factors can be almost anything. Typically they are PIN codes sent to mobile devices in an SMS message or mobile apps that generate time-sensitive codes. They could be biometrics, like a fingerprint, or a specialized authentication device, like a smart card reader. Whatever they are, they should be out-of-band, that is the code or biometric is received on a device that is separated from the requesting application. This prevents phishing; the cybercriminal may trick you into entering your password, but they won't be able to mimic the second factor mechanism that is set up at the time you create your login credentials. In other words, they won't be able to then use your stolen password and username to access an application, because they’d need your mobile phone, or fingerprint to complete the login.

With 2015 seeing 169 million breached records in the USA, as recorded by the Identity Theft Center, we need to take a serious look at how applications and data are being accessed in our organizations. Passwords may be convenient, but they simply cannot cope with the sophisticated and highly successful methods being used by cybercriminals to gain access to our networks. We need to add another layer onto our armor in the form of a second factor.