This year’s World Password Day campaign has taken on extra significance, given the big rise in breached login credentials since the start of the COVID-19 pandemic. Against this backdrop, Infosecurity recently caught up with Colin Truran, senior risk, compliance and governance advisor at Quest, to find out how cyber-criminals are targeting passwords to launch attacks and ask whether we should be looking to reduce our reliance on passwords going forward.
What trends have we seen regarding how cyber-criminals have targeted passwords to launch attacks since the start of the COVID-19 pandemic?
Since the start of the pandemic, we have seen a big rise in phishing to trick people into giving away their credentials on fake sites. In turn, cyber-criminals are then profiting from password reuse. It is an easy gateway to corporate networks, especially when there is breached account data from a less secure service such as e-commerce or a social service. Too many organizations store and handle passwords in a compromised fashion, storing unsalted hashes or even storing the password itself.
We have also seen a rise in cyber-criminals strategically using brute force attacks to crack simple and short passwords more quickly. For less experienced, opportunistic hackers, darknet hacking as a service and rentable cracking stations have opened up the hacking market to a much wider audience that doesn’t necessarily have the skills or the bandwidth.
Which sectors have been especially heavily affected by password spraying tactics over recent years?
E-commerce and social media platforms have been particularly affected by password spraying attacks in the last few years.
Now that there are discussions around lifting travel restrictions, more consumers are relying on new services, some of which lack multi-factor authentication (MFA) by default. Also, individuals faced with having to set up more accounts tend to use common memorable passwords, leaving them open to security risks.
How do you advise these organizations to go about strengthening password practices among their staff?
- Enforce passphrases rather than passwords.
- Always have easy to use multi-factor authentication (MFA), which does not rely on SMS or email.
- Do not require password changes on a frequent basis as this encourages password reuse or simple increments.
- Provide password vaults to encourage and simplify passwords for all systems and not just your own.
- Single sign-on (SSO) - do away with having separate credentials for each service, as it just encourages password reuse. It often ends up with the lowest common policy denominator. A breach in one will result in a breach in all because of reuse. A breach may result in not all services being updated, which complicates account termination and visibility.
Do you believe as a society we need to be reducing our reliance on passwords over the coming years? If so, why?
Our digital lives are far too complex for anyone to effectively control without serious technical assistance. As a result, we try to make life manageable by simplifying passwords at every opportunity.
"Our digital lives are far too complex for anyone to effectively control without serious technical assistance"
When you lock your house, you use a key – rarely do we use pin codes. Pin codes are only as good as their code owner; keys and locks, on the other hand, are as good as their specialist security manufacturer with years of experience. The same goes for our digital security. It’s better to have something physical that can validate based on multiple highly technical sources such as biometrics and location than a short piece of data shared with multiple services.
The shift to a more immersive personal experience with IoT requires each of our devices, from a lightbulb to a car or even the house, to know who we are and control our preferences. This requires accurate identification of the individual to enable the secure passing of private information. So, this in itself will drive us away from passwords and into a broker identity service. However, choose wisely because technology such as social login is still a major risk in more ways than you can imagine.
What alternatives to passwords should we be pursuing? What needs to happen to ensure these authentication methods become more widespread?
An alternative would be a physical device that uses multiple methods to prove our identity and can share its security without passing personal information. The mobile phone is the most common example of this. We’ve seen manufacturers recently add new functionality for multiple devices to work together. However, don’t be fooled; facial recognition on mobile devices compromises accuracy for ease of use. Multiple devices are mainly used not for added security but to perform in any given scenario, such as when an individual is wearing a facemask.
However, technology is continually improving, and hopefully, the accuracy and confidence in it will too. Equally important will be cybersecurity training from an early age in schools. We don’t just need to learn our native language; we also need to learn the digital one.