Passwords provide a false sense of security for both users and the companies who demand them. The password requirement to protect the user (and ultimately sensitive company data), creates an entirely new frontier, both from a security perspective and for criminal activity.
Passwords are the simplest go-to for system security and are the weakest link in the cybersecurity chain. Criminals know passwords are often the only thing between them and massive amounts of data they can sell for a profit in the underground. Password breaches lead threat actors to a cache of information that generates anywhere from a few dollars to thousands per breach.
Some of the largest public breaches have occurred in the past few years, revealing security vulnerabilities that exposed billions of pieces of personal data users assumed were protected behind the veil of their passwords. The types, shapes and sizes of exposures vary, but most begin with an oversight or pure naiveté.
The Innocent Exposure
Few companies invite a breach, yet when they happen, most are surprised at how human error or simply being unaware of a vulnerability put the company at risk. These are the most common exposures, as companies struggle to stay in step with criminal hacking techniques. A few notable instances when innocent mistakes morphed into something much bigger:
Twitter recently urged users to immediately change their passwords after they discovered a glitch that stored unencrypted passwords in an internal log. Even though it was an innocent mistake, anyone who may have had access to that log could have, in theory, exploited those passwords. Smartly, Twitter also recommended users consider changing their password on all services where they may have reused their Twitter password.
Equifax found that an application vulnerability on their website resulted in nearly 150 million consumer passwords being exposed. While the exposure began in May, the breach wasn’t discovered until the end of July, giving criminals plenty of time to sell millions of Social Security numbers, birth dates, addresses, driver’s license numbers, credit card data and personally identifiable information.
Uber found themselves the victim of a hacking attack that impacted 57 million Uber users and 600,000 Uber drivers. Two hackers accessed Uber’s GitHub account to uncover username and password credentials that never should have been stored there in the first place. The breach may have cost Uber $20 billion in valuation during its attempt to sell a stake in the company.
The Weak Password
Weak passwords can be too short, too simple and/or too obvious. Hackers use different automated methods to crack passwords, including trying the most commonly used passwords and brute force attacks that attempt every possible character combination. These attacks are run at massive scale and speed, taking one account compromise to land the criminals in a treasure trove of sensitive corporate data.
Even when they are strong, many people reuse the same password across multiple accounts. If one of those accounts is hacked, criminals perform “credential stuffing” to test that password against thousands of popular websites to rapidly scale the attack for years. Though 91 percent of people know using the same password for multiple accounts is risky, 59 percent still do it. Reusing passwords and accessing apps like Dropbox and GitHub with personal emails is a challenge for most companies.
One of the more prolific examples of how password reuse can be used against someone is with Mark Zuckerberg. In 2016, the Facebook CEO discovered his Twitter and Pinterest accounts had been hacked. Apparently, Zuckerberg used the same password for LinkedIn as he did for Twitter and Pinterest. When LinkedIn was hacked and millions of usernames and passwords sold on the dark web, LinkedIn users were encouraged to change their account password. Zuckerberg did so but neglected to change the same password for his other social media accounts.
The Unaware Employee
Employees introduce the most risk to an organization. They click on phishing emails, log into bogus sites, use weak passwords, access secure sites from unsecured devices and unwittingly download viruses and malware. Most employees are completely unaware of their mistakes.
In the Anthem breach, hackers were able to implement a phishing campaign to compromise multiple C-level executive accounts. Because none of the executives used additional authentication mechanisms, hackers were able to easily access the entire data warehouse and remove more than 80 million customer records – all from only five breached accounts.
The social music streaming company 8Tracks was surprised to learn that an employee inadvertently leaked the passwords of 18 million user accounts. The company was able to source the breach to a GitHub repository that did not require two-factor authentication.
The common denominator in each of these breaches is the password. If cracked, the password is like an HOV lane for criminals, directing them to what they really want: personal, profitable information they can sell en masse. Unfortunately, many consumers and companies believe the password is protection enough. They are learning that’s a dangerous misconception, and many proposed technological solutions have their own sets of problems.
There are ways for users to fortify their accounts beyond passwords, yet few choose to do so because it slows down the login process. Password managers and two-factor authentication are substantially more secure methods but nearly 90 percent of Americans still keep track of their online passwords by either memorizing them or writing them down, and fewer than 30 percent use two-factor authentication.
Many companies encrypt passwords; however, the type of encryption matters. Even well-designed passwords can be stolen or compromised when service providers aren’t adequately securing them with the latest technology. Weaker algorithms, like unsalted md5 and sha1, are commonly used yet easily deciphered and immediately converted back into the readable passwords that fuel attacks. The Ashley Madison incident involved 36 million leaked passwords that were hashed with the bcrypt encryption type, clearly not strong enough to prevent a breach.
Companies may also attempt to track password exposures, but the process can be labor intensive, frequent false positives desensitize them to real threats, and they often miss many of the compromises. Their methods are too basic to catch the oft-shrouded techniques of the modern cybercriminal, particularly when the bad actor is internal to the company.
Unless organizations turn to automating their tracking and breach detection and strengthening their login and authentication through technologies like biometrics, they will continue to leave themselves, their employees, their customers and their data at risk.
Bottom line: Companies must fight fire with fire, and as long as passwords are the cornerstone of cybersecurity, we will continue to be vulnerable. Refortifying passwords and avoiding data breaches involves adjusting mentality and behavior as well as modernizing technology and service provider practices to stay a step ahead of the threat actors.