Passwords - not all they are cracked up to be

Cybersecurity in action.
(Image credit: iStock)

ITV has announced the upcoming launch of their new show ‘Password’: a word association game which consists of teams receiving one-word clues to guess a mystery “password”. But what is the reality behind having your password cracked?

In real life, cybercriminals aren’t gifted with one-word clues and encouraged by flashing lights and comical noises, yet the ease and ability remain the same. Adversaries don’t have to “crack” passwords anymore, they just steal them when they are unencrypted. So gameshow or otherwise - no matter how ‘long’ or ‘strong’ passwords appear to be they are fundamentally flawed authentication methods. Therefore, companies continued heavy reliance on passwords as a means of validating user identities has left them open for attack.

Representing the weakest link in an organization's security chain, passwords can be easily guessed, obtained through clever social engineering tactics, or stolen while they unencrypted - for example when a user is typing a password into a web form. Despite attempts to implement more secure authentication methods, even first-generation MFA (Multi-Factor Authentication) solutions that combine passwords with an additional factor like one-time passwords via SMS/email or push notifications are now frequently circumvented, even by inexperienced attackers.

This situation poses a significant risk to organizations. According to the Verizon Data Breach Report of 2022, credentials were the most common type of data compromised in both the US (66%) and EMEA (67%), and more than 80% of data breaches directly result from password-related issues. Consequently, improving authentication and security measures remains a top priority for business leaders worldwide.

Just how easy is it to crack a password?

Unfortunately, there is no such thing as a 'strong’ or ‘secure’ password. The length and complexity of a password only become significant if attackers employ brute force tactics, attempting millions of combinations of characters and numbers until they find the right match. For example, it is often suggested that a 12-character password with a mix of upper and lower-case characters, numbers, and special characters would take billions of years to crack through brute force. However, this method is not how adversaries typically gain access to passwords.

In reality, attackers rely on social engineering techniques to trick users into providing their passwords directly. They may also infect endpoints with credential theft malware or employ attacker-in-the-middle (AitM) techniques to intercept passwords as they cross the network in the clear. In these cases, the length of a password becomes irrelevant, as malware can steal a lengthy password just as easily as a short one consisting of only four letters or numbers. Therefore, the focus should not solely be on creating ‘"strong’ passwords but on implementing additional security measures to counteract these tactics.

Jasson Casey

CTO at Beyond Identity

Poor password habits

Recently, we have seen the growing popularity of password managers with Google and other applications saving users’ passwords and providing a randomized password to ensure ‘greater protection’. While it ensures some degree of security - given it prevents attackers from using one set of stolen credentials for multiple accounts - several issues still remain.

Even the best password manager has limitations when it comes to stopping attackers at the endpoint or in the middle of login flow processes. While these tools may enhance security by generating complex and unique passwords for users, they don't fundamentally alter the login procedure. The password manager merely handles the password generator, with the user's login experience remaining unchanged. Additionally, they don't provide full protection against social engineering attacks, as unsuspecting users may still be manipulated into revealing relevant information to attackers, bypassing the Password Manager's safeguards.

Another significant drawback of password managers is that they centralize the risk for users and create an enticing target for hackers. If attackers manage to steal the main password from the password manager vendor, they potentially gain access to all customer credentials in one go. This concentration of sensitive information can lead to severe consequences in case of a successful breach. A real-life example of this risk materialized in December 2022 when LastPass disclosed an incident where hackers gained access to backups of their customers' data. Such incidents highlight the vulnerabilities associated with relying heavily on password managers as the sole defence against security threats.

The solution? Passwordless authentication

Organizations now have the opportunity to transition towards a modern and highly secure passwordless, Multi-Factor Authentication (MFA) system that effectively resists phishing attempts. This advanced approach makes use of biometrics and passkeys, following the standards set by the Fast Identity Online (FIDO) Alliance. This industry association operates openly, with the primary goal of reducing the world's dependence on passwords by establishing robust authentication standards.

The FIDO Alliance's mission involves promoting and supporting the development, usage, and adherence to authentication and device attestation standards. Its efforts aim to revolutionize authentication by offering open standards that surpass the security provided by passwords, while simultaneously being more user-friendly for consumers and easier for service providers to implement and manage.

By embracing these innovative passwordless technologies, enterprises can significantly raise the bar for adversaries attempting to hack into their systems. Additionally, it liberates users from the burden of managing passwords, which is a responsibility they are eager to be free from. The adoption of FIDO-based authentication systems represents a crucial step forward in enhancing overall security and user convenience for organizations worldwide.

Given passwords remain a key feature for many businesses and even new gameshows, adopting a passwordless approach might appear a lengthy task for an organisation’s cybersecurity team. However, adopting the passwordless authentication approach is crucial for any company that seeks to have full protection through a robust security strategy. Remove passwords and you remove the weak link in your defense.

We've listed the best identity management software.

Jasson, Chief Technology Officer, Beyond Identity.