Passwords, as a method of authentication, are considered to be the worst and most vulnerable form of authentication in an increasingly tech-centric era. Security experts have warned for a while that the use of passwords as a user’s single and primary form of authentication is not secure enough – yet password use has risen and remains the default method. This article will discuss why passwords should ultimately be removed from your company’s working practices and advise how you can better secure your systems immediately.
A brief history of passwords
The idea of digital passwords was first presented by Fernando Corbató at the Massachusetts Institute of Technology in the 1960’s. At the time, no one really knew the impact this idea would have on society and security in years to come.
The idea came about when the Compatible Time-Sharing System (CTSS) was being developed and those involved wanted to prevent access to private files.
It took a while for passwords to be adopted by other applications/systems, but with attacks by ‘hackers’ becoming more frequent and devastating, the use of passwords started to become essential.
However, when computers began to be embraced by homes and offices, the weaknesses of passwords began to show…
Why are passwords becoming a thing of the past?
Passwords are considered, ironically, to be one of the biggest security vulnerabilities in the digital world. However, it is not necessarily the method of preventing access to a system in the form of a series of characters that only a specific user(s) should know, that is the main problem - it is in fact how they are stored and managed.
Some of the issues that security professionals identify with passwords are:
- They are being stored in unsecure locations such as a sticky note attached to your monitor
- The password created is not complex enough or long enough and is therefore easier to guess/hack
- Users tend to create passwords using words related to themselves e.g. children's names, hobbies etc. These sorts of details can be easier to guess and obtained by hackers through a number of methods including social engineering
- When passwords are changed, they are often not changed to anything significantly different to the previous one, such as adding another digit to the end of it
What’s the alternative?
- Knowledge-Based questions (KBA’s) – These are simply questions asked to the user which the user should provide an answer to in addition to providing the usual password. However, the questions asked, and the answers provided, are often personal and therefore the answers could potentially be guessed if someone else were to obtain the information from the user e.g. if the question was related to what school the person attended, then this may appear on their social media platforms for all to see
- One-time passcodes (OTP’s) – OTP’s can be text messages, emails or push notifications containing a code that the user uses in addition to a password. So it is another form of authentication. The issue with this though is that OTP’s can be intercepted by Man-in-the-middle or SIM swap attacks. It certainly increases the security of just a password by itself, but it isn’t impervious to attacks
- Authenticator apps – This is a popular method and one most people are familiar with. Apps like Duo or Microsoft Authenticator generate an infinite amount of six digit OTP’s every thirty seconds. Once the user enters the OTP, they can’t use this again and if a hacker does somehow get access to an OTP code, they need to enter the code within the thirty second time constraint. Cyber criminals can potentially use SMS vulnerabilities to reroute texts and expose OTP’s, but you can also disable any SMS authentication methods to prevent this from happening
- Security card/key – Examples include smart cards and security keys which contains a chip to securely store and exchange data with readers and other systems. On the face of it this seems quite a secure way of authenticating, but it falls down due to the fact this is a tangible item that can become lost or stolen
- Biometric authentication – This is potentially the most secure method of authentication as it verifies a user’s identity based on unique physical attributes such as your fingerprint or facial recognition. This isn’t something you should be able to lose or replicate. However, Biometric authentication isn’t available for all applications/systems or it may require specialised and expensive equipment. Cyber criminals are also finding ways of stealing biometric information by taking photos of finger prints, for example
- Certificates – Certificate-based authentication is another good way of authenticating as it uses a digital signature of a device/entity and a public key certificate to setup a cryptographic link. However, you would need to implement a Public Key Infrastructure (PKI) in your environment or use a managed PKI for this
What should you do as a business?
Don’t rely solely on passwords
- Only use passwords when absolutely necessary and suitable e.g. access to guest Wi-Fi
- Look to implement some form of Multi-Factor Authentication in your company because the additional method is likely to not only be more secure than passwords, but having another layer of security makes it more difficult for attackers to exploit
- Implement Single sign-on (SSO) that allows users to use the one set of credentials to automatically login to applications/systems. This will reduce the need for a user to manage his/her passwords and provide instant access. However, it should be noted that this should be used in conjunction with another method of authentication as it still technically involves the use of a password
Apply technical solutions
- Account lockouts after failed login
- Password complexity requirement policy
- Security monitoring
Ensure passwords are being protected
- Implement HTTPS for web apps to avoid interception
- Protect access management systems by restricting access as much as possible
- Don’t store passwords in plain text
- Change default passwords
Reduce amount of password management a user has to do
- Don’t implement regular password change
- Consider using password manager applications (with caution)
- Avoid sharing accounts/passwords with multiple users, but if this the is only option, make sure it is managed securely
Provide users appropriate with training
- Importance of keeping password secure
- How they can manage and reduce password management burden
- How MFA works
- Present the bigger picture of how security is essential nowadays