Businesses and consumers have relied on passwords for decades, and password use has continued to grow over the last two years with the move to remote work and the increasing use of cloud services. While password protections have come a long way since MIT created the first computer password in 1961, poor password hygiene remains. Credentials are a popular attack vector for bad actors to hack into organizations, making poor password practices a significant threat for businesses. One stolen password can bring down tens of thousands, even millions of dollars worth of cybersecurity defenses, which we saw firsthand with the recent NVIDIA breach. This points to the need for sophisticated technology and solutions that secure passwords and make them more manageable.
Common Password Attack Methods
Cybercriminals know that many organizations do not prioritize password security, so password-related cyber-attacks are unlikely to stop. There are multiple methods cybercriminals use to steal passwords and credentials, including:
● Brute-force attacks. Cybercriminals purchase a list of previously compromised passwords on the DarkNet, or alternatively, they download a free list of common passwords, like qwerty and password123. Then, they try these passwords everywhere.
● Targeted/surgical attacks. Cybercriminals select specific individuals at an organization, then search social media networks for information about the targets, such as their birthdays, favorite vacation spots, hobbies, and names of their children, spouses, or even pets. Then, they use this information to try to crack each target’s password. This type of attack takes advantage of the fact that many people use passwords containing information from their real life, like their children’s names.
● Phishing/social engineering. This involves a cybercriminal stealing credentials directly from a victim, often by sending them an email or text message with a malicious link that directs them to a phishing site, or a malicious attachment that contains keystroke-logging malware.
● SIM Swap. SIM swapping, also known as SIM hijacking, SIM jacking, or SIM splitting, is a type of account takeover (ATO) attack where cybercriminals get a victim’s mobile phone number transferred to a new SIM card.
The expanding threat landscape, combined with the proliferation of connected apps, devices, and data spread across increasingly complex, distributed network environments, has created the need for sophisticated password protection and Identity Access Management (IAM) software and systems.
Passwordless Technology in the Enterprise
Passwordless authentication has entered the fray and is an attractive option for enhancing organization security. However, the adoption rate of this technology is slow. A recent report from Keeper Security that surveyed 600+ leaders in the enterprise revealed a juxtaposition when it comes to passwordless tech adoption. The majority of survey respondents (54%) would prefer their users' login to desktop computers using passwordless technology, but at the same time, 59% of the same respondents have not deployed passwordless tools yet because it is not a priority. What’s more, the combined majority of survey respondents (55%) said that they either aren’t sure when they would like to start deploying a passwordless technology in their organization (over 34%) or are not planning to deploy passwordless (nearly 21%).
The slow adoption of multi-factor authentication (MFA) by businesses and consumers – despite MFA being a practical and highly effective way to protect end users from breaches due to credential theft – is a good indicator of the possible adoption timeframe for passwordless tech. First, vendors have to build the technology into their websites and applications, and then, end users have to be educated about the technology and come to trust and adopt it. Between both organizational and consumer adoption, it may take many years until passwordless tech is widespread.
The bottom line is businesses and consumers will still be using passwords for at least another decade, making the technology that makes passwords secure and easy to manage extremely important in maintaining organizational security.
Improve Password Protection Today
While the adoption of passwordless technology may be a future goal rather than a current reality for some organizations, business leaders can implement a few key best practices today to maintain good password hygiene and avoid leaving their organization vulnerable to attack.
● Establish password governance. Implement password management and governance solutions that require users to use strong, unique passwords for every online account and application.
● Enable MFA. Require employees to enable MFA wherever it’s supported, preferably using a time-based one-time password (TOTP) code or hardware-based FIDO2 key. This way, even if a cybercriminal steals the employee’s password, it’s useless without the second authentication factor.
● Protect machine credentials. Infrastructure secrets such as database passwords, API keys, and SSH credentials are high-value targets for criminals. They should equally be protected in a secure vault, managed, and never hard coded in software.
● Protect remote access. With the increase of remote workers and broad use of cloud infrastructure, it is important to implement zero-trust security remote access systems that follow the least-privilege principle, offer role-based access control (RBAC), and offer privileged access management (PAM) including monitoring, logging, and session recording.
Working Toward Long-Term Security
Data security remains a challenge for all organizations in today’s hyper-connected world. While passwordless authentication may not be widely adopted in the next few years, technology and solutions that make passwords secure and easy to manage are key to keeping up with today’s cyber threats and evolving threat landscape.
