It’s the tenth anniversary of World Password Day which means that there’s going to be an avalanche of well-intentioned advice this week about how to make passwords more secure. The problem is that passwords are never going to be secure.
No matter how long they are, or whatever characters they include, it won’t stop cybercriminals from either stealing passwords, or buying them on the dark web, and simply logging in to an account. It’s not clever or complex to do – and to make things worse there are 921 password attacks every second.
It’s easy to steal long passwords
Just to be clear, there is no such thing as a “strong or secure password.”
Password length and strength only matter if the bad guys are using brute force tactics to unencrypt passwords – using a computer to try various combinations of characters and numbers until it finds the correct match. Some will recall the password strength chart showing it would take billions of years to crack (unencrypt) a 12-character password with a combination of upper and lower-case characters, numbers and special characters. Unfortunately, this is not how adversaries gain access to your password. They use a mix of social engineering techniques to fool users into supplying their passwords to them directly. Or they deploy malware on the endpoint or use attacker-in-the-middle (AitM) techniques to intercept passwords while they are unencrypted. Malware doesn’t care about the length of a password, it can steal a four-thousand-character password as easily as it picks up one made of only four numbers or letters.
What about Password Managers?
Passwords Managers have grown in popularity as they take away the responsibility from users for creating and keeping unique passwords for many applications and services. On the upside, they do prevent attackers from using one set of stolen credentials for multiple accounts.
The downside side is that Password Managers don’t stop attackers in-the-middle or at the endpoint. The login flow process for the user doesn’t change, the only difference is that it’s the Password Manager generating the characters, letters and numbers that make up the password. Also, this approach does not defend against a social engineering attack because unsuspecting users are still prone to opening their Password Manager and simply giving away the relevant information.
Another big disadvantage is that they concentrate the risk for users – and the reward for hackers. If an attacker steals the main password from the Password Manager vendor, they have access to all customer credentials in one fell swoop. This issue was highlighted In December 2022 when LastPass released details of how hackers had managed to access backups of their customer data.
Employees aren’t security specialists
Despite the issues with Password Managers, the premise of taking away responsibility for security from end users when accessing applications and systems is a sound one. Passwords have long been a primary target for threat actors and are the weakest link in an organisation’s security chain. Security teams often require employees or customers to create and remember longer, more complicated passwords and require frequent password changes. Burdening employees with such a vital element of business security is unreasonable, unworkable and a proven failed strategy.
Finding an alternative and an effective approach for businesses would dramatically reduce their attack surface as Crowdstrike’s 2023 Global Threat Report made clear. It cites that adversaries use compromised credentials as the initial attack vector in more than 75% of all attacks.
Is MFA the answer?
On the face of it, multi-factor authentication (MFA) seems to be a good solution for password vulnerability. It removes the reliance on a single password created by the user and employs additional factors to better verify legitimate users. However, first-generation MFA relies on easily phished factors such as one-time passwords with links sent via email or SMS. Other first generation solutions employ push notifications. Attackers have access to multiple free tools, and more recently they can use paid phishing-as-a-service offerings to steal passwords, other authentication factors, or even steal session tokens, allowing them to easily bypass first-generation MFA.
Attackers also use “prompt bombing” attacks – sending multiple authentication requests to generate multiple push notifications that users, unfortunately, often say yes to. What’s needed is a solution that does not depend on passwords and cannot be phished. It may come as a surprise to know that this technology is already available in the form of passwordless, phishing-resistant, multi-factor authentication which makes it virtually impossible for attackers to access accounts and systems as it does not use traditional log-in methods.
Passwordless technology is ready
Today organisations can switch to a modern, secure, phishing-resistant MFA that leverages a combination of biometrics and passkeys based on the Fast Identity Online (FIDO) standards. The FIDO Alliance is an open industry association focused on setting authentication standards to help reduce the world’s over-reliance on passwords. It promotes the development of, use of, and compliance with standards for authentication and device attestation.
The FIDO Alliance is working to change the nature of authentication with open standards that are more secure than passwords, simpler for consumers to use, and easier for service providers to deploy and manage.
By adopting new passwordless technologies enterprises can make it much more difficult for adversaries to hack into their businesses and additionally relieve users from the responsibility of managing passwords–a burden they are happy to shed.
At the moment, what makes it confusing for organisations looking for advice on security is that official government guidance is out of date regarding MFA and the availability of passwordless technology. The focus remains on using long passwords and securing them with first-generation MFA and Password Managers. In fact, there is no mention of the advances in phishing-resistant MFA and passwordless technology in the latest information from the National Cyber Security Centre, published in 2018. It still encourages organisations to invest in old technologies that are no longer fit for purpose and have been superseded by more effective solutions. This needs an urgent update as the take up of modern MFA needs to be widespread to rapidly shrink the opportunities that criminals are exploiting.
So, what shall we celebrate now?
Each year, we ‘celebrate’ World Password Day, and then cybercriminals continue to exploit password-based authentication. So, ask yourself why wouldn’t you want a passwordless future and to shut the proverbial front door that adversaries use in the vast majority of attacks? Instead, think of today as ‘World Password-less Day’ and start the journey to get rid of the single largest vulnerability facing your organisation.
Image credit: Guardian