Blog

Passwords, as a method of authentication, are considered to be the worst and most vulnerable form of authentication in an increasingly tech-centric era. Security experts have warned for a while that the use of passwords as a user’s single and primary form of authentication is not secure enough – yet password use has risen and remains the default method. This article will discuss why passwords should ultimately be removed from your company’s working practices and advise how you can better secure your systems immediately.

A brief history of passwords

The idea of digital passwords was first presented by Fernando Corbató at the Massachusetts Institute of Technology in the 1960’s. At the time, no one really knew the impact this idea would have on society and security in years to come.

The idea came about when the Compatible Time-Sharing System (CTSS) was being developed and those involved wanted to prevent access to private files.

It took a while for passwords to be adopted by other applications/systems, but with attacks by ‘hackers’ becoming more frequent and devastating, the use of passwords started to become essential.

However, when computers began to be embraced by homes and offices, the weaknesses of passwords began to show…

Why are passwords becoming a thing of the past?

Passwords are considered, ironically, to be one of the biggest security vulnerabilities in the digital world. However, it is not necessarily the method of preventing access to a system in the form of a series of characters that only a specific user(s) should know, that is the main problem - it is in fact how they are stored and managed.

Some of the issues that security professionals identify with passwords are:

  • They are being stored in unsecure locations such as a sticky note attached to your monitor
  • The password created is not complex enough or long enough and is therefore easier to guess/hack
  • Users tend to create passwords using words related to themselves e.g. children's names, hobbies etc. These sorts of details can be easier to guess and obtained by hackers through a number of methods including social engineering
  • When passwords are changed, they are often not changed to anything significantly different to the previous one, such as adding another digit to the end of it
This is backed up by a survey conducted in 2020 by Verizon which found that over 80% of data breaches involved the use of lost or stolen credentials. More recently, the UK’s National Cyber Security Centre (NCSC) have released an article that reveals how vulnerable the use of passwords is and how often they are being targeted.
 
It is becoming apparent that passwords should be replaced by something more secure, or at the very least, something should be done to improve the security and practicality of the current archaic password method.

What’s the alternative?

Throughout the years, many elements of technology have evolved and improved, including security, but unfortunately some aspects like passwords have fallen behind.
 
However, there are some alternative methods available for securing your device or system, or at the very least improve on the single password method:
 
  • Knowledge-Based questions (KBA’s) – These are simply questions asked to the user which the user should provide an answer to in addition to providing the usual password. However, the questions asked, and the answers provided, are often personal and therefore the answers could potentially be guessed if someone else were to obtain the information from the user e.g. if the question was related to what school the person attended, then this may appear on their social media platforms for all to see
  • One-time passcodes (OTP’s) – OTP’s can be text messages, emails or push notifications containing a code that the user uses in addition to a password. So it is another form of authentication. The issue with this though is that OTP’s can be intercepted by Man-in-the-middle or SIM swap attacks. It certainly increases the security of just a password by itself, but it isn’t impervious to attacks
  • Authenticator apps – This is a popular method and one most people are familiar with. Apps like Duo or Microsoft Authenticator generate an infinite amount of six digit OTP’s every thirty seconds. Once the user enters the OTP, they can’t use this again and if a hacker does somehow get access to an OTP code, they need to enter the code within the thirty second time constraint. Cyber criminals can potentially use SMS vulnerabilities to reroute texts and expose OTP’s, but you can also disable any SMS authentication methods to prevent this from happening
  • Security card/key – Examples include smart cards and security keys which contains a chip to securely store and exchange data with readers and other systems. On the face of it this seems quite a secure way of authenticating, but it falls down due to the fact this is a tangible item that can become lost or stolen
  • Biometric authentication – This is potentially the most secure method of authentication as it verifies a user’s identity based on unique physical attributes such as your fingerprint or facial recognition. This isn’t something you should be able to lose or replicate. However, Biometric authentication isn’t available for all applications/systems or it may require specialised and expensive equipment. Cyber criminals are also finding ways of stealing biometric information by taking photos of finger prints, for example
  • Certificates – Certificate-based authentication is another good way of authenticating as it uses a digital signature of a device/entity and a public key certificate to setup a cryptographic link. However, you would need to implement a Public Key Infrastructure (PKI) in your environment or use a managed PKI for this
 
Whilst the above methods are certainly improvements on credential-based logins, it should be made clear that these methods should form part of a two-step verification process (MFA/2FA); in other words, don’t rely on just the one authentication method, you should combine at least a couple to make it as difficult as possible for potential hackers to get access to your device/system.
 
Password managers like LastPass or RoboForm are also proving to be popular amongst individuals and businesses. These are in theory ‘secure’ vaults that contain all your passwords in one place. However, whilst an application like this is certainly better than writing it on a piece of paper, if the password manager does not have multiple layers of security in place to prevent a dishonest individual from accessing it, then it could be a potential treasure-trove for a hacker as they will have access to not one but multiple account credentials, as Australian software house Passwordstate found out. Password managers are also not invulnerable to man-in-the-middle attacks or other advanced interception methods, so applications like LastPass should be treated with caution.

What should you do as a business?

As it is unlikely you will be able to get rid of passwords completely at this stage, in the first instance you should at least consider the following:

Don’t rely solely on passwords

  • Only use passwords when absolutely necessary and suitable e.g. access to guest Wi-Fi
  • Look to implement some form of Multi-Factor Authentication in your company because the additional method is likely to not only be more secure than passwords, but having another layer of security makes it more difficult for attackers to exploit
  • Implement Single sign-on (SSO) that allows users to use the one set of credentials to automatically login to applications/systems. This will reduce the need for a user to manage his/her passwords and provide instant access. However, it should be noted that this should be used in conjunction with another method of authentication as it still technically involves the use of a password

Apply technical solutions

  • Account lockouts after failed login
  • Password complexity requirement policy
  • Security monitoring

Ensure passwords are being protected

  • Implement HTTPS for web apps to avoid interception
  • Protect access management systems by restricting access as much as possible
  • Don’t store passwords in plain text
  • Change default passwords

Reduce amount of password management a user has to do

  • Don’t implement regular password change
  • Consider using password manager applications (with caution)
  • Avoid sharing accounts/passwords with multiple users, but if this the is only option, make sure it is managed securely

Provide users appropriate with training 

  • Importance of keeping password secure
  • How they can manage and reduce password management burden
  • How MFA works
  • Present the bigger picture of how security is essential nowadays 
In addition to the above, NCSC have published an article on what they recommend for your password policy. This is constantly updated so please refer to this when needed.

Conclusion

Not a day goes by it seems where a company, no matter how big or small, has been the victim of a cyber attack where the use of passwords has been at the heart of the matter. With this in mind, and with security experts repeatedly lambasting the use of passwords, it is clear that a better authentication solution needs to be the new default.
 
Multi-factor authentication is certainly a step forward, but at the end of the day, traditional MFA doesn’t eliminate the most insecure factor in the login process: the password. MFA also adds friction to the authentication process and therefore impacts the user experience; the user may find MFA time consuming and frustrating to the point of affecting company productivity.
 
Ideally you want to phase out passwords completely and you could do this by potentially combining, for example, biometric and certificate authentication – two of the most secure methods on paper. This combined process is considered to be fundamental to the industry standard known as FIDO (Fast Identity Online). However, until such a solution has been thoroughly scrutinised and is more readily available, if you follow all of the advice this article has provided, this will ensure you are not at the behest of just a single password being your own only form of authentication. It will also hopefully help contribute to the ultimate phasing out of passwords altogether.
 
if you would like further advice or information on this subject, don’t hesitate to contact us.