Passwords are outdated, vulnerable, and an unacceptable basis for cyber resilience in today’s organizations says Patrick McBride. In this article he explains why this is the case and looks at the way forward.
The humble password has been an intrinsic part of security since the mid-1960s when it was first introduced at the Massachusetts Institute of Technology. But after several decades of use it’s painfully clear that we need to move on – and quickly. Around 80 percent of breaches are known to stem directly from compromised passwords, making them one of the single most glaring vulnerabilities in any cyber resilience strategy.
Nevertheless, many organizations still rely on username/password combinations as the primary method of defending their systems against unauthorized access.
The basic authentication method of the password is completely flawed and vulnerable to theft or brute-force attacks where adversaries try stuffing various combinations of popular passwords into a site or try stuffing stolen credentials into various sites. And there are literally billions of stolen passwords available for sale on the dark web. But the mindset around passwords is also fundamentally flawed, placing the responsibility for security squarely on individual users. This has been reinforced by years of official policies, guidance, and prodding from governmental bodies and other authorities.
Something needs to change - and this change needs to come from the top. Stop promoting ‘longer, stronger passwords’, it is bad advice, full stop! We need to fix the fundamental issue, stop using passwords and move to a method of authenticating user identities that is secure.
Why even the best password advice isn’t enough
Most advice given around good password hygiene puts the responsibility on the individual. Users are for example encouraged to think of complex passwords, with most services now requiring specific minimum lengths and a particular combination of alphanumeric, numbers, and special characters.
It is certainly helpful not to use ‘Password1’ to protect your corporate login, but the complexity of passwords has little to no impact on effectiveness. Social engineering attacks that trick the user into sharing their credentials or entering them into a false login page are not affected in the slightest if the password is the user’s birthday or an incomprehensible string of 30 characters. Likewise, credential stealing malware is not inconvenienced by complex passwords. Credential theft malware does not steal only simple passwords. Malware is happy to send both a four and four-thousand-character password back to the adversary. With so many credentials available for purchase, longer or stronger passwords just don’t matter. This recommendation was based on the fact that it is harder to ‘crack’ (unencrypt) a longer password, and that it is harder for adversaries to successfully break in using credential stuffing techniques that try various popular passwords. But these old-school recommendations belie the way that adversaries gain access to and reuse stolen or purchased passwords today.
Encouraging employees and customers to use a unique password for each app can help protect their corporate and personal accounts from compromise. But with dozens of sites, this model, which still places responsibility on the end user's shoulders is very troublesome. No one can remember dozens of unique passwords. Whilst password managers can help users to better tackle the increasing number of unique passwords they must deal with in their daily lives, and reduce the chances of the old faux pas of them saving all their credentials in a Word document on their desktop, they provide no protection against credential theft malware or other phishing attacks. These tools also concentrate the risk by assembling all of the passwords in a single location that is often protected by, you guessed it, another password.
Most organizations do at least recognize that passwords alone are a flawed form of authentication. However, attempts to improve the matter are scarcely more secure these days. Multifactor authentication (MFA) has been embraced by many as the answer to the password problem. The Cybersecurity and Infrastructure Security Agency (CISA) for example, recently announced a major push to increase MFA adoption.
However, not all MFA is created equal. Most currently deployed and sold MFA solutions are highly vulnerable to exploitation by threat actors. This is new news to many organizations, and unfortunately too many government organizations. Most existing MFA solutions rely on an easily phished factor such as a one-time password (OTP) delivered over an insecure channel like email or SMS. Adversaries can intercept these messages and use social engineering and other reverse proxy techniques to trick users into sharing the secret factor from their MFA process. Readily available tools and free toolkits can be deployed by even the most unsophisticated attackers. They make stealing credentials and compromising MFA almost as easy as painting by numbers. Another commonly used MFA technique is push notifications which are susceptible to social engineering techniques such as prompt bombing.
The US Government warned recently that adversaries are now deploying techniques to bypass standard MFA ‘at scale’, with freely accessibly open-source it is making this possible for even less skilled criminals.
Indeed, the US Government has been one of the most forward-thinking about the need to move on from the current security status quo.
Pushing for password progress
Most prominently, the Biden Administration has made it mandatory for governmental agencies to adopt Zero Trust by 2024. The ‘never trust, always verify’ principle of zero trust, fundamentally requires adherents to move away from passwords and other phishable factors and towards a more robust risk-based approach that includes MFA. Furthermore, the Administration’s recently published Zero Trust guidance for the Federal Government places an emphasis on using passwordless and ‘phishing resistant’ MFA methods.
However, many other world leaders are still behind the curve. The NCSC in the UK for example continues to push for the use of strong passwords and encourages password managers. Illustrating this, its Cyber Aware campaign promotes combining three random words that each mean something to you as a way of creating a password that is strong but memorable. Again, while this will somewhat improve a user’s ability to deal with all their passwords, it does little to stop or even notably slow a threat actor armed with modern techniques.
Whilst MFA is also recommended by the NCSC and others, not all MFA is created equal and legacy solutions present numerous risks.
Moving to a passwordless – and truly unphishable – future
We need to see more governments and other leading authorities taking the same approach as the recent US policies and doing more to steer organizations away from traditional security measures that are no longer enough to keep out adversaries. In an ideal world, global governments and their security agencies would all be on the same page and we could even see an international effort to leave passwords behind.
In the meantime, we have an ideal opportunity to move on from passwords thanks to the current focus on digital transformation and zero trust. Both processes – inextricably interlinked – require organizations to review their processes and use more secure authentication.
What better time to leave the false security of the outdated password and phishable MFA behind?
Instead, enterprises need to look toward a truly passwordless approach to security. This means removing passwords entirely, not simply hiding them or combining them with other weak factors. As long as passwords still exist somewhere in the authentication or account reset process, they are vulnerable to exploitation.
True passwordless security eliminates the traditional user/pass combo in favour of a passkey, a public/private key-based authentication token assigned to each user and device. Rather than codes and links that can be intercepted and exploited, this process uses unphishable cryptographic security keys and device-based biometrics or pin codes that are securely stored in specialized hardware in modern endpoint devices from phones to laptops.
Unphishable passkeys cannot simply be stolen via clever social engineering and cannot be guessed or brute-forced. This unphishable approach to MFA is effectively immune to all normal credential-based attacks as there is nothing for a threat actor to steal, and no unauthorized device can access the account.
We need other governments around the world, as well as trusted authorities like the NCSC, to stop promoting outdated advice around passwords and legacy MFA, and start encouraging organizations to explore passwordless alternatives that can stand up to modern cyber threats.
Strong leadership will help us to finally turn the page on passwords and start a new chapter in security.
Patrick McBride is CMO at Beyond Identity.