The compromise and leak of people’s passwords has become so prevalent and frequent that it is almost accepted as a normal fact of life. Recently the disclosure of a Twitter password bug that allows exposure of user passwords, and the temporary closure of TaskRabbit, represent an apparent never-ending stream of incidents that demonstrate, in companies of all sizes, the likelihood of exposure or compromise of user information, often going far beyond just password leaks.
Figure shows popular site for account/password compromise
These incidents showcase the slowness of the entire industry to implement alternative mechanisms that can mitigate password attacks. This is necessary since users have now proven that they’ll continually choose the simplest and shortest passwords they can think of – no matter how often they’re warned not to. Since users also reuse these easy to remember passwords across multiple sites, they can easily become the victim of multiple account compromises from just a single attack.
Figure shows top 10 used passwords in the year 2017 Source Gizmodo
Multiple password dumps and lists that can be found online confirm that password simplicity and reuse is a widespread problem. One significant example is the ROCKYOU password list which includes 32 million passwords. Attackers can leverage these readily-available password lists by employing easy-to-use password attack tools.
There are multiple techniques that can be used to perform password attacks. The most popular one used for internet password attacks is called “bruteforcing,” which is a trial and error of mix and matching a list of usernames with passwords until the correct match is found. These attacks depend on a target that allows a large enough number of attempts in order to find the right match. The simpler and shorter the passwords, the greater the likelihood that the attack will succeed.
Figure shows popular password attack tool THC Hydra
Passwords as we know them are obsolete
We can no longer rely on passwords as a main method of authentication. Users are blamed for choosing simple passwords and vendors are pressured due to ease of access demands and frequently hardcode simple and easy to guess passwords. An example of how this can affect the internet is the rise of the Mirai botnet, where hundreds of thousands of IoT devices were compromised and the main attack vector was simply default vendor passwords.
How can we fix this?
There are a number of password alternatives or complements that can improve security from using passwords as the only authentication/authorization method. These include:
Credential Monitoring Services:
These will track your username, email and passwords and often your company Domain name. Sites like www.malwaremanaged.com offers tools like SpyCloud and AlertID. These services alert you when credentials have been stolen and are possibly being bought, sold and traded on the dark web.
The above items are by no means a complete solution to account take over or compromise, they can, however, provide additional protections that can help prevent accounts from being compromised and prevent password reuse attacks from being successful.
There are many other attack vectors that can target each method listed above. An example of how you can bypass dual authentication without much effort was recently shared with the author of this blog: a very large academic organization that implemented dual factor authentication via a well-known vendor saw a number of accounts compromised as malicious actors targeted students at lunch time and would start sending them authentication requests via their application in their phone. This is a social engineering attack that required previous information knowledge of victims. Surprisingly many of the students decided to confirm such requests and their accounts then were accessed and ultimately, compromised.
The above example demonstrates that although we can improve protections against password compromise users still have the last word. We do need to move on from password only as main authentication method. The path forward requires investment and push from vendors and service providers to make an effort to implement such measures. Additionally, enterprises must shift their traditional stances on authentication away from the single method model and demand their vendors support multi-factor authentication.