While there is no evidence of these unprotected passwords being discovered or misused by hackers, this isn't to say these credentials haven't found themselves onto the Dark Web. By continuing to support an outdated, insecure, and ineffective authentication paradigm, organisations everywhere are exposing themselves and their customers to wholly preventable cyber-risk.
The Twitter revelations broke, ironically enough, on World Password Day — an event which itself is symptomatic of our failure to upgrade and move on. Isn't it time we consigned passwords once and for all to the dustbin of history? Far more secure and effective alternatives already exist to protect your data and reputation and preserve customer trust. Twitter offers two-factor authentication but is a prime example of companies not enforcing this level of security as a standard and why it remains under-utilised.
A digital relic
Bill Gates famously predicted the death of the password all the way back in 2004. He claimed the traditional username-password combination could not “meet the challenge” of keeping critical systems secure. Fast forward 14 years and little has changed, aside from the fact that far more secure and robust methods of authenticating users now exist and are widely available.
The Twitter incident illustrates perfectly the problems we currently face as an industry. It's believed an internal bug led to passwords being stored unencrypted in an internal log. No-one is thought to have accessed these illegally, but the firm recommended a reset “out of an abundance of caution”. It could have saved itself and its users a lot of pain and worry by migrating them all to newer authentication systems.
Passwords are a relic from an age in which the sun has long since set. The bottom line is that they can be quite easily cracked, hacked and guessed today to compromise not only your customers but also internal accounts. While the former is concerning, the latter could have devastating consequences if hackers manage to infiltrate corporate systems and gain access to sensitive IP and customer data.
The weakest link
Users will always be your weakest link. With so many passwords to remember across numerous business and personal online accounts, the default setting is to reuse multiple credentials across multiple accounts, and to make them as easy as possible to remember. A recently discovered dark web trove of 1.4 billion breached passwords found the most popular choice was “123456”, used over 9.2 million times. Second place? Well, that went to “123456789”, which was used more than 3.1m times.
If they don't try to guess your users' credentials, online attackers could use dark web intelligence collected from previous breaches to crack accounts, trying hundreds of passwords and combinations per minute to gain access. Password reuse remains a major problem and is a hacker's dream. Once leaked from an insecure site, a user's credentials can be bought online and then reused elsewhere. More targeted attacks use spear-phishing techniques to simply trick privileged users into handing over their log-ins, thinking they're accessing an official portal or site.
Don't think your IT team is immune: Intercede research found that 86 percent of systems administrators in UK firms use basic username and password authentication to protect sensitive data, and 20 percent don't even bother with a complex password.
Too big to ignore
Once inside, attackers could pivot to customer databases or stores of sensitive IP. Some of the biggest and most damaging breaches of recent times started with a compromised password. US retailer Target (110 million customers), the Office of Personnel Management (21.5 million federal employees) and Uber (57 million users) are just a few.
That's not to mention the impact of password breaches on customers. Identity fraud is on the rise and consumers are increasingly holding the organisations they do business with to account. A study from last year claimed that over a quarter of UK adults have boycotted companies that mishandled their data.
If this wasn't enough, new EU regulations the GDPR and NIS Directive came into force last month and mandate organisations put in place best practice cyber-security: that should mean an end to password-only authentication.
Time to switch
The message of World Password Day this year was to “layer up” by adding multi-factor authentication (MFA) to traditional passwords. But in many ways, this is missing the point: we should be migrating from passwords altogether. To do otherwise is confusing for users and can lead to gaps in implementation which will still leave organisations exposed. After all, how many users had Twitter's voluntary two-factor authentication switched on?
The challenge is getting organisations to make the leap to more robust authentication, and educating consumers on how to use the new technology. Passwords have been with us for so long it seems impossible to imagine a world without them. But that's what we need to do if we genuinely want to improve cyber-security. Maybe a good place to start would be to rename World Password Day, World MFA Day.
Contributed by Allen Storey, chief product officer at digital identity expert Intercede.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.