Why is Authentication Such a Problem?
IT Professionals are continuously frustrated by the fact that so many security incidents still stem from the seemingly simple issue of poor passwords. But is that really such a simple issue? Maybe not. If you unpack the reasons behind the persistent use of “Password123”, you’ll find at its heart high expectations for ease of use, coupled with exaggerated faith in the security of the technology. This is at odds with security professionals’ recognition that technology alone cannot protect our data. A strong firewall has to include the personal accountability of the humans using the technology.
The media is partially assisting the IT industry in bridging those conflicting perceptions by demonstrating daily the risks of poor security practices. As security professionals it is now our job to ensure that rather than having users throw up their hands in despair at the onslaught of breach stories, they instead see a clear path to simple actions they can take to combat the threat. Use of strong authentication is perhaps the most critical of these steps.
What is Authentication?
Authentication is the process for ensuring that authorized users have access to the information they need and preventing unauthorized users from gaining access to information they should not have. Authentication means verifying that someone is who they claim to be. Authorizing access by confirming someone’s identity is generally based on at least one of these three pieces of information:
What you know
What is it? Login and Password or PIN.
Security Implications: Can be risky because it can be shared, stolen or broken by brute force attacks (programs that repeatedly try new character combinations until they stumble across one that works).
What you have
What is it? A physical device that generates one-time use passwords or codes that are required to log in, in addition to a password or PIN. Can be a card, chip, dongle or app on a smartphone.
Security Implications: Increases security by requiring a second type of authentication. Device can be forgotten at home or stolen.
Who you are
What is it? Biometric information like a fingerprint, voice or retinal scan.
Security Implications: Extremely secure option because everyone has unique biometric markers. Biometric data is alwasy available and never forgotten at home. Most expensive type of system and can cause privacy concerns from users who do not want their biometric data saved.
The most common authentication method is What you know, which relies on credentials, or a login and a password. The login is often given to you (at work) or you use your email address. However, the password is usually left up to the user. And that’s where one large risk lies.
Why Is Password Management So Important and Yet So Difficult?
Automated tools are great for business. However, most businesses require multiple systems to capture all relevant information and keep everything organized. This means employees must work with multiple systems every day, just to do their jobs. Not to mention all the personal accounts and passwords a person likely has. Ideally, changing authentication systems could remove the need for passwords, but many organizations are stuck with legacy systems that only include a password option for authentication.
Best practice dictates that each system should have its own long and complex password, with no similarities or repetition. But let’s be realistic about this. We are human, with bad habits, busy schedules and work-arounds that we use to stay sane. Memorizing and reusing only one password is a common work-around for people who have too many things to remember. If forced to create and use more than one password, we rely on passwords that are easy to craft and easy to remember . . . and easy to crack as well. So ease-of-use and the need to remember too much are two starting points of poor password management.
What is Poor Password Management?
Poor password management refers to a combination of password-related decisions or tactics that put accounts at risk. This includes things like:
- Using overly simple, short, guessable or default passwords
- Saving passwords insecurely (e.g., written notes, spreadsheets – especially when stored on a company network or online, saved to browser, saved on unlocked devices)
- Reusing the same password on multiple accounts
- Sharing passwords
- Never changing passwords, even after a data breach or known compromise
- Entering passwords while on insecure networks like public wifi
Effects of Poor Password Management
Human nature is to follow the path of least resistance. We understand why people make these mistakes. Reusing simple passwords that are easy to remember makes technology manageable for non-technical users. But we also know that poor password management puts sensitive information at risk. Passwords are currently the main means we use to protect sensitive information about ourselves, employees, and organization. Poor password management opens the door to that data, meaning people are at risk of financial theft, identity theft, physical risk, and corporate espionage, just to name a few.
Think of your passwords as the keys to your digital life. Just like handing over your keys to a gang of thieves invites them to steal your mail, your car or possessions from you home, allowing hackers an easy opportunity to steal your data invites them to steal your money, identity, personal records, business and reputation. And depending on how you lock your home, it may also invite them to invade your and your family’s physical security as well.
Passwords Are Risky
Current statistics show that in the working world, passwords are the most used and least expensive but also least secure authentication option. Password reuse is common, despite organizational efforts to stop the practice. And even password sharing occurs at least sometimes.
- Passwords are reused an average of 5 times.
- 63% of companies prohibit employees from using the same password for different systems, yet 51% say they reuse their passwords for multiple accounts anyway.
- 69% of respondents admit to having shared a password with a colleague at least once.(1)
The obvious risk of sharing a password with a colleague is that unauthorized employees could gain access to private organizational information. But at least the unauthorized employee is a part of the company’s community, and odds are against the lapse creating an actual problem for the company. However, intentional data breaches over the past decade have exposed billions of passwords that are currently in use in systems all over the world. People who still use and reuse passwords from the password dictionary lists created from the breaches open their organizations up to much greater risks. These stolen credentials are used in over 70% of hacking breaches worldwide.(2) A Ponemon survey in 2018 found that, in the last year, 40% of responding companies had suffered an attack involving compromised employee passwords.(3)
What is Credential Stuffing?
One of the main reasons these hacks are so successful is because people reuse their passwords. A single-account password is only good for the one account where you use it. However, when passwords are reused, the likelihood greatly increases that a hacker with a list of a billion usernames and passwords gathered from a breach will come across your credentials in a password dictionary list. To find out, the hacker uses an automated tool to try the verified credentials. One computer can “stuff” the username/password pairs into a login page at a rate of about 30,000 attempts in a single hour. A success rate of 0.1%-2% means in a few weeks a team could end up with thousands of working accounts at their disposal. These statistics alone should be enough to convince you that password cracking is big business that is not going away any time soon.