Week 17: Are passwords safe, and what are the alternatives?

Passwords aren’t contemporary. In fact, their implementation dates back to ancient Rome. In the 6th book of Histories, the Greek historian Polybius, who lived between 261 and 146 BC, mentions the term “Watchword”, which refers to a secret used by the Roman armies, inscribed on a wooden tablet and passed around to distinguish between friends and enemies. Fast forward to 1961, Dr. Fernando Corbato used the first digital password to protect user accounts. And in 1962, a PhD student, Allan Scherr, committed the first password theft. 

Since then, bad actors have only upped their game. Remember Week 7, when we looked at social engineering and phishing? Well, that was just one type of attack. Cyber Threat Actors (CTAs) can choose to employ any of the following:

• Brute Force: Here, the CTA uses manual or automatic means to try different password combinations till the correct one is identified. 
• Password Spraying: This is a form of Brute Force. Here, the attacker runs commonly used passwords for different users within the same organization. The larger the data set, the higher the probability that that password matches someone’s username. 
• Credential Stuffing: This is a close relative of Password Spraying. Here, the CTA relies on the user’s bad habit of reusing passwords across different services. 
• Dictionary attack: This is similar to brute force, but instead of trying different variations, the bad actor relies on a file that contains frequently used passwords. These lists can easily be found on the internet (One example is on GitHub). 
• Rainbow Table: This is a type of dictionary attack in which the CTA leverages hash tables. Companies don’t usually store your secret in plaintext; instead, they use hashes (please refer to last week’s article titled Cryptography) which are a cryptographic outcome or a fingerprint used to represent a message. If the bad actor obtains the hash they could compare it with this table to deduce the correct password. 
• Keyloggers: Malware on the victim’s computer, which logs his/ her keystrokes. 
• Man-in-the-Middle (MITM): In this attack, the threat actor typically intercepts a message between two parties by taking advantage of unsecured connections or the lack of encryption.
• Physical theft: Here, the malicious actor might try shoulder surfing, rummaging through the garbage (dumpster diving), or try taking pictures of people’s desks that contain notes with written passwords. 

Fortunately, not all is gloom and doom. There are a few steps you can take, as a user, to protect yourself:

• Avoid reusing your password.
• Avoid writing or sharing them.
• While password length and complexity are useful, the use of passphrases is highly recommended. An example can be Gr33nPigsInMyF@rm.
• Enable Multi-Factor Authentica (MFA) and use biometrics where possible. 
• Use an antimalware solution for your desktop and mobile devices.
• Ensure your operating systems and other software are updated.
• Use services such as haveibeenpwned.com to check if you’ve been compromised. 
• Be informed about social engineering and its different flavors. 
• The use of a Virtual Private Network (VPN) can decrease MITM attacks. 
• Use a dedicated password manager. In addition to helping you store your passwords, they can also help you generate strong ones.  
• You could consider password rotation (i.e., changing passwords after some defined period).

(Note: There is a debate that suggests password rotation can lead to poor hygiene because users tend to use predictable secrets).

As a business, you could consider the following best practices: 

• Provide awareness to your employees and/ or customers, as well as force them to use passwords of a minimum length and complexity.
• Block accounts after a series of failed login attempts. 
• Encourage the deployment of MFA.
• Adopt the use of CAPTCHA. 
• Adopt Self-Service Password Reset (SSPR) practices. In addition to achieving cost efficiency, this can help reduce the likelihood of social engineering attacks. 
• In addition to encryption, consider employing the technique of salting, which requires adding random input prior to hashing the secret. This can reduce Rainbow Table attacks. 
• Implement Extended Detection and Response (XDR) to detect and respond to the attacks described above.

Let’s ignore for a moment the different techniques by which passwords can be compromised and focus on the financial impact. In a 2019 study, Yubico concluded that organizations spent an average of $5.2M to set and reset passwords. That same study suggested employees spend about 11 hours per year to regenerate their passwords. According to Gartner, 40% of the calls received by IT revolve around passwords. Finally, research conducted by Forrester states that every password-related call costs a business approximately $70. If you now start calculating the number of employees plus the number of times IT receives a call plus the cost of each of those calls… The cost of using passwords is astronomical. 

So, it shouldn’t be a surprise that the big tech giants are pushing for the adoption of passwordless authentication (i.e., password ditching). These include biometrics and possession factors such as an authenticator app or push notifications. Some businesses have even started using magic links. The benefits of a passwordless approach can range from enhanced security and reduction of IT overheads to increased user experience and compliance (due to reduced exposure of sensitive information and the fact that the business no longer has the onus of protecting passwords). 

If you’re looking for higher assurance, it’s recommended that you use FIDO-certified products like Windows Hello, FIDO2 Security Keys (for example, Titan), or Passkeys. The FIDO Alliance is formed of over 250 members such as Apple, Microsoft, Amazon, Facebook, and Visa, who joined forces to develop a common authentication standard that operates on public key cryptography. 

Let’s take passkeys, for example. When you want to log in to Google, for example, you authenticate using your fingerprint. Your fingerprint unlocks the private key to solve a challenge (or, in layman’s terms, sign a request). The response is sent to Google, which verifies it using your public key. 

(Note: Neither your private key nor your biometric leave the device).

But wait. What happens if a bad actor has physical possession of your phone and wants to steal the passkey? Well, first he/ she would have to unlock your device using your biometric information. Second, your private key is usually stored on a hardware component known as a Trusted Platform Module (TPM), which is considered virtually impenetrable. You can log in to the desired service using an OTP, for example, and revoke that key pair.

We thought we’d end this week with some humor around passwords, so please enjoy this video.

Next week, we’ll introduce risk management.

This article is part of a project called Security Chronicles, written jointly with Walter Buyu .

Sources:

• Passwords have a long history – how much do you know…? 
• The top 8 password attacks and how to defend against them. 
• Choosing and Protecting Passwords.
• A Successful Self-Service Password Reset (SSPR) Project Requires User Adoption. 
• Adding Salt to Hashing: A Better Way to Store Passwords.
• How Much Does a Password Reset Cost? More Than You’d Think. 
• Why Big Tech Wants You To Ditch Your Password.
• What is Passwordless Authentication?
• Passkeys may not be for you, but they are safe and easy – here’s why.