Password Aren’t as Secure as You Think
Passwords are the most commonly used form of authentication. However, in practical terms and use, they end up being the least effective form of authentication.
Security and accountability are closely related. To hold a person accountable for his or her actions, organizations must have strong authentication systems in place to prevent and deny access based on a user’s permissions.
Auditing events is the recording of all activities of the system, resources, and users.
This creates a log of everything that took place within the computer network and, to some extent, within the organization's facility during a specific period of time. Only through a recording of events that have occurred is it possible to evaluate user activity for compliance or violations.
Authentication is the verification that a specific person is who he or she claims to be.
In most cases within a computer network, authentication is used to link a specific person to a specific user account. When a person attempts to log on, they claim an identity, often by typing in a user name and password.
Authorization is the assignment of rights, permissions, and privileges to users that enable them to accomplish their assigned work tasks.
Authorization is also the prevention or denial of access to any resource or activity that is not granted to a user. Every user will have their own unique, custom, and focused set of access boundaries.
Of these three essential security services, authentication is the most important. Failing to prove a solid and unassailable link between a digital identity (i.e., a user account) and a person prevents us from holding someone accountable for the recorded actions of a user account.
Without strong authentication, it is difficult to hold someone accountable.
Most organizations and services rely only on passwords for authentication.
When a single factor authentication mechanism is used, especially when that single factor is just a password, a single successful attack against a user account, person, or password is all a hacker requires to impersonate someone and log in as the victim account.
Here are just some of the ways hackers obtain passwords:
- Password guessing
- Discovering re-used passwords
- Brute force attacks
- Plain text user database theft
- Credential spraying
- Lost backup tapes
- Social engineering
- Shoulder surfing
- Infrared heat detection on keypads
- Keystroke logging
- Phishing attacks
- Web spoofing attacks
- DNS pharming attacks
- Session hijacking
- Network traffic sniffing
- On-path attacks
Whether you have a short and simple password or a long and complex password, many of these attacks are just as successful against both. There is not a reliable means of password selection and use that can avoid all possible means of password compromise.
You should consider password-only authentication insecure, problematic, and insufficient.
Most organizations leave password selection up to the end-user.
Most end users pick passwords that are easy for them to remember. The fact that a password is easy to remember makes it a password that is also easier to guess, discover, or crack.
Even with good recommendations for password creation, most users only perform the minimum requirements in order to skirt the rules. Instead, using the minimums as if they were exclusive requirements gives the hacker even more of an edge. If your policy is to require two uppercase letters, even though there is not a restriction on using more, most users will only employ two uppercase letters. Hackers study human behavior and use it to improve the success of their password attacks.
Common or "standard" password security policies, guidelines, and training do not help against modern password cracking techniques and tools.
Forcing users to employ one or two uppercase letters, numbers, and symbols, or requiring a specific number of characters actually makes the task of password compromise a little easier.
If a hacker knows your company's password policy, then they can automatically exclude any password that does not fit your requirements, such as anything missing an upper case or anything with too few letters.
Too many real-world passwords have been hacked.
Hackers have an overwhelming amount of knowledge about general password rules, guidelines, and selections. This insight into how we, as general computer and internet users, select passwords makes password cracking easier and faster.
Hackers have compromised thousands of company networks and popular online services. Many of these compromises have granted hackers either direct or delayed access to user passwords.
Direct access to user passwords occurs when user account credentials are stored in a cleartext form. Once the user database is accessed, all of the user passwords are directly available.
Delayed access occurs when the user account credentials are stored in some form of hashed, encrypted, or other semi-protected forms. This requires hackers to crack the passwords. Password cracking efforts can sometimes be effective nearly immediately (i.e., within a few hours) or may take considerable time and effort (i.e., several weeks or months).
Generally, hackers will continue to crack passwords until something more promising comes along, and they need their resources for something else.
Hackers Use Databases of Passwords to Breach Accounts
Over the years, hackers have learned the passwords of billions of user accounts. Many of these are duplicates, like 1234567 or P@ssw0rd.
Billions of unique passwords are now available to hackers. Just about every possible combination of keyboard characters in shorter passwords is known, but there are some 20+ character passwords in this collection.
The easy-to-remember passwords are already in these dump databases and dictionary lists used by attackers.
These password sets are used in an attack called credential stuffing attacks where stolen credentials are used to attempt to log into new target sites, services, and locations. If you are using a password that happens to be in this database of exfiltrated passwords, then your account is secured no better than using a combination lock and leaving it at 0000.
If you happen to have selected a password that is on this list, then if/when a hacker attempts to crack your password, success is all but guaranteed.
Why is this large database of passwords so important to us?
It reveals just about every conceivable trick or pattern or clever mechanism used by users.
How people try to create strong passwords:
- Shifting every other letter
- Making a pattern out of the keyboard
- Using words spelled backward
- Replacing certain letters with numbers or symbols
- Commonly uppercasing first letters
- Adding numbers or symbols only at the end of a base word
If user habits of password generation or selection are all known, then it is just about impossible for a typical user to pick a strong enough password that they will remember and prevent a breach.
To help prevent hackers from accessing accounts, it’s important to uphold strong best practices and standards to strengthen passwords and security overall. See this article on 10 Steps to Better, Stronger Passwords to learn more.