An Overhaul in Password Security

Passwords aren’t going anywhere. Despite the buzz that biometrics and MFA are holistic solutions, passwords are a ubiquitous, crucial layer for authentication—and they’re low-cost and simple, too. 

That’s not to say that passwords are without issues. In fact, due to ineffective password policies, and poor user habits, they are hotly desired targets. Also, when a password is compromised, it can immediately become an entry point for cyber attackers. This problem has grown so rapidly that compromised passwords are now the leading origin point for data breaches. 

This white paper provides a thorough explanation of the root causes, and potential solutions, to the password problem. 

A snapshot of the problem from the DBIR 

The number of data breaches has increased every year—there were 5,212 reported in 2022 compared to 1,935 in 2017. Unfortunately stolen credentials are by far the most common entry point, accounting for nearly 50% of all reported incidents. 

The report found that cybercriminals are using stolen credentials in many types of cyber attacks, the three most common being: 

1. Brute Force Attacks: Cybercriminals use software to attempt as many guesses as possible, using cracking dictionaries as the basis of their data.
2. Password Spraying Attacks: Attackers try a few commonly used passwords against a wide selection of accounts, relying on the fact that many users choose the same weak and common passwords. 
3. Credential Stuffing Attacks: Using stolen sets of full credentials, hackers plug a user’s data into additional accounts to try to access them. 

The Root of the Issue 

What really is the problem? Unfortunately, but unsurprisingly, it’s people— specifically, the very pervasive human habit of reusing passwords. 

Over 65% of people reuse passwords frequently, and the average user employs a favorite password about 14 times. Even when an individual doesn’t use the exact same password, they often choose a root password with easy-to-guess variations: for example, they might choose “Avocado” as their root password and then add an end, “Avocado22!” or “avocado123”. 

These habits make it easy for cyberattackers to exploit accounts through the above methods. 

In Brief: What Companies Can Do 

Examining and updating old password policies is the best place for organizations to start overhauling their take on password security. Several well-known policies were hailed as safeguards, but the digital landscape changed such that they are now backfiring.

Here is what companies should do now: 

1. Eliminate Periodic Password Resets: This common corporate habit has been shown to backfire, and in reality, no scheduled period will be short enough to close an active vulnerability. 
2. Replace Arbitrary Complexity Rules: Too many requirements for character complexity have been shown to lead users to follow predictable patterns when creating patterns, and increase the chances of password reuse. 
3. Screen Passwords Against a Blacklist: NIST guidelines also indicate that scanning both new and in-use passwords against a blacklist that includes dictionary words, compromised credentials taken from the dark web, and weak passwords, etc. can help reduce the occurrence of ATO and other cyber entry points. 

Companies must accept that human error isn’t going anywhere, and neither are passwords. Creating an updated and layered approach to authentication is the best defense companies can take against the constant threat of cyber attacks and data breaches. 

Download the white paper now for more details about actions your company can take.