Why passwords alone are not enough
With the rise in phishing and social engineering techniques, even a hard-to-crack password is not enough to combat the risk of compromised user accounts according to Steve Manzuik.
Steve Manzuik, director of research, Duo Security
When it comes to cyber-security, the adage about only being as good as your weakest link certainly holds true. For all the investments we can make in prevention and protection, from firewalls, to SIEM, centralised controls and pen testing, if a hacker gains access to your password – and this is the last line of defence between the user and their account - then all bets are off.
One of the more sobering facts to have emerged from recent security reports was that a massive 95 percent of breaches involve stolen credentials*. There's been a continued rise in phishing scams and social engineering techniques to gain access to users' credentials and even a hard-to-crack password is not enough to combat the risk of compromised user accounts. Try as we might to make them complex and impenetrable, the determined hacker can, and will, gain access to a user's account through their password. So, whilst news of the death of the password may have been exaggerated, we simply can't rely on the password-only approach. To make sure that your business' confidential information stays secure, we need to make life harder for the hacker. The other reality is that hackers will usually choose the easiest target, one that doesn't require much effort, time, or ‘nous'.
Password-only should be a thing of the past
Despite all the advancements we've made in cyber-security over the past few years, passwords on their own, as a method of authentication, access or proof of identification simply aren't enough. The evidence for this is all around us, in the form of high profile and widely publicised data breaches. Data leaks and security lapses as a result of weak or stolen passwords occur all too frequently; in September last year, hackers were able to crack 11.2 million user passwords from the dating website Ashley Madison, then proceeded to publish the most popular passwords online. In October 2015 customer logins for British Gas customers were published online - although British Gas denied it had been hacked there was speculation that phishing was involved in gaining access to this information. It's a huge problem that's so easily amended.
Lapses can simply be down to user error, which increases the risk of a password falling into the wrong hands; a recent survey showed that 44 percent of Internet users** have shared their passwords with somebody or left it visible for people to see. And we know that weak passwords and the reuse of passwords are common mistakes people make, when they run into the problem of trying to remember numerous passwords across all the different sites they visit.
Technology is readily available that allows attackers to purchase a simple tool that even the most amateur hackers can use. Password-busting is not the realm of a few genius code-crackers. Software like Hashcat is so powerful that a single machine can make 350 billion guesses per second to crack your password. This is code-cracking on an industrial scale.
The most practical way to remedy this issue is to use password managers, taking care of the problem of having to memorise a list of passwords, and to then strengthen security by adding a hurdle for attackers, through a second layer of authentication. The challenge, however, is that we don't want to slow workers down or make the authentication process unnecessarily onerous. Hardware tokens or keyfobs are easy to lose and costly to replace, and most users find them to be a hassle to use daily. We have to find ways for users to be able to access any device, any application and from any environment in way that doesn't impede their productivity, yet which provides the assurance that only authenticated users are granted access.
Two-factor authentication has made great strides forward since the days of hard tokens and some now provide one tap authentication on your user's smartphones. Users just enter their username and password, approve the login request using their mobile phone with the push of a button and can then gain access to the application. The key is ease-of-use so that users don't feel hampered by cumbersome processes. Additionally, enterprises need to be up and running quickly, and these cloud-based two-factor solutions are quick to deploy and easy to manage for administrators and IT teams.
Whilst passwords are still important, a password-only security approach can leave you vulnerable to stolen credentials or more sophisticated password-busting software. That's a risk that's simply not worth taking.
Contributed by Steve Manzuik, Director of Research, Duo Security