Cyber Security Awareness Month: The Problem with Passwords
Passwords are a fixture of our modern digital world that cause no end of frustration and angst. I am sure this scenario is a familiar one:
‘Incorrect password, please try again’
‘Please enter a new password’
<input incorrect password (because, hey, it wasn’t the right one anyway)>
‘The password you have entered has already been used, please try again’
Passwords can be traced back to ancient times, both in history and literature.
- Biblical times—In the 12th chapter of the biblical Book of Judges, during the chaos of battle between the tribes of Gilead and Ephraim, Gileadite soldiers used the word “shibboleth” to detect their enemies, knowing that the Ephraimites pronounced it slightly differently in their dialect.
- Literary history—The classic tale “Ali Baba and the Forty Thieves,” was invented in the 18th century by the French Orientalist Antoine Galland. The invocation “Open, Sesame!” used in the tale to open a magically sealed cave enjoys broad currency as a catchphrase today.
Passwords are now an essential component in the modern security landscape.
- The 1st digital password—In 1961, MIT computer science professor Fernando Corbato created the first digital password as a project problem-solver. When he built a giant time-sharing computer, several users needed their own private access to the terminals. His solution? Give each user their own password.
- Web 2.0 password overload—Today, there are passwords for almost everything. Each person has about 100 of them, and they’re often shared between family, friends, and coworkers. (Netflix, anyone?) Trying to remember all these details on a daily basis has led to major password fatigue.
They’re also—let’s be honest—pretty terrible.
On a basic level, passwords are only effective if users deliberately inconvenience themselves. Users must make a positive choice to use strong, unique passwords in every service they use. They then have to regularly update their passwords and sign-up for advanced security features, like multi-factor authentication (MFA) or an external password manager.
We don’t live in an ideal world. People don’t have the time or headspace to practice perfect password hygiene. Some businesses screw up. Things happen.
Any system that only works in perfect circumstances is—I think we can all agree—pretty flawed. Sure, passwords once served a useful purpose, but it’s time to retire them in favor of a stronger, more protective alternative.
A growing consensus
This isn’t a fringe opinion. Rather, it’s a perspective shared by the vast majority of IT professionals. In 2020, a LastPass survey revealed 95% of IT professionals believe passwords pose a security risk to their organization. They highlighted several bad practices—from password reuse and weakness to a failure to change default credentials in off-the-shelf applications and appliances.
It’s not a particularly novel opinion, either. The computer password originated during the heady days of the time-sharing paradigm, where academics competed for access on large, refrigerator-sized mainframes. Users needed a secure place to store their files, data, and applications, so MIT Computer Science professor Fernando Corbato established a system where each user has a username and password.
Corbato’s idea for unique credentials stuck, and over the following decades, security industry professionals have sought to paper over the inherent flaws by introducing new technical measures and standards.
Businesses started hashing and salting their passwords—rendering them unreadable to anyone who managed to breach their databases. They used encryption to protect credentials as they traversed the open internet. Before the widespread deployment of SSL, a threat actor could connect to an unsecured Wi-Fi network and, using open-source tools like WireShark, capture network traffic and sift out the valuable credentials and session cookies.
These measures work. But they don’t address the underlying flaws with passwords. Before the advent of modern identity measures, like multi-factor authentication and SSO, nothing stopped an attacker from simply guessing a password. Or repurposing credentials found elsewhere—a practice known as credential stuffing.
This shouldn’t be interpreted as an attack on people. We’re all busy, tired, and perfectly imperfect. It isn’t reasonable to expect everyone to practice perfect password hygiene. On a basic level, passwords weren’t designed for their current usage—in widespread, mass-market, networked systems and applications.
People follow the path of least resistance. And that means doing things that aren’t ideal from a security perspective—like reusing weak, easily guessed passwords. There remain a few seemingly intrinsic problems with passwords, not easily solved by cryptography.
- Short passwords are easy to remember but easier to guess; many people still use “password” or “123456” as the key to their sensitive data. Passwords that are weak or easy to guess are more common than you might expect: A recent study from the NCSC found that around one in six people uses the names of their pets as their passwords, making them highly predictable. To make matters worse, these passwords tend to be reused across multiple sites, with one in three people (32%) using the same password to access different accounts.
- Longer passwords are harder to crack but harder to remember. The simple fact is, passwords were never intended for the wide-scale usage that they see today. Humans are not wired like computers—we are wired to follow the path of least resistance. As such, when required to remember strings of letters and numbers, we will default to the easiest option.
- If a business fails to properly store credentials, even the most complex and unique password is rendered worthless. Businesses aren’t merely reliant on users practicing perfect password security; users also need to know that the services they use are properly secured.
A brief history of password-based attacks
The first known breach occurred when a researcher at MIT printed out passwords and gave them to other users.
Also at MIT, a software bug infected the system’s primary password profile, making everyone’s passwords available to anyone who logged in. At this early stage in password history, ethical hackers were more interested in exploring and testing computer systems than in criminal activity.
The first real bad actors started to appear. Some were “pranking,” while “phreakers” were making free long-distance calls by hacking into phone systems.
The infamous Morris Worm infected 6,000 networked computers; this was a malicious attack designed to exploit. Also in the 1980s, the first instances of multifactor authentication (MFA) tokens appeared, mostly for use in nascent remote-access VPNs.
Linkedin suffered a data breach where hackers stole password hashes (that were not salted). This was considered the first socially engineered computer virus and leveraged the rainbow table technique (see below).
Top 5 password-based attacks of today
The sad reality is that many of the tactics used in these early days of password compromise are still prevalent today; bad actors have evolved with the technology available and attacks have become more sophisticated. The end result, however, remains the same. In this new digital era, loss or compromise of security credentials is a nightmare scenario. Unauthorized access can lead to overwhelming financial fallout, liability, penalties, and reputational damage.
- Phishing—Among the most common password-stealing techniques currently in use, phishing is often used for other types of cyber attacks. Rooted in social engineering tactics, its success is predicated on being able to deceive a victim with seemingly legitimate information while acting with malicious intent.
- Social engineering—This term typically refers to the process of tricking users into believing the hacker is a legitimate agent. A common tactic is for hackers to call a victim and pose as technical support, asking for things like network access passwords in order to provide assistance.
- Brute force attack—Brute force attacks refer to a number of different methods of hacking that all involve guessing passwords in order to access a system. Most brute force attacks employ some sort of automated processing, allowing vast quantities of passwords to be fed into a system.
- Dictionary attack—The dictionary attack is a slightly more sophisticated example of a brute force attack. This uses an automated process of feeding a list of commonly used passwords and phrases into a computer system until something fits. Most dictionaries are made up of credentials gained from previous hacks, although they also contain the most common passwords and word combinations.
- Rainbow table attack—Whenever a password is stored on a system, it’s typically encrypted using a hash, making it impossible to determine the original password without the corresponding hash. In order to bypass this, hackers maintain and share directories that record passwords and their corresponding hashes, often built from previous hacks, reducing the time it takes to break into a system. (Used in brute force attacks)
Traditional authentication using a username and password has been the foundation of digital identity and security for over 50 years. But with the ever-growing number of user accounts, there are a number of new issues: the burden on end users to remember multiple passwords, support costs, and most importantly, the security risks posed by compromised credentials. These new challenges now outweigh the usefulness of passwords. The case for eliminating passwords from the authentication experience is getting more compelling every day.
Here’s the thing: We know passwords are a security Achilles heel. We understand the underlying fundamental weaknesses, and that we can’t simply engineer them away with better encryption technology.
It’s time to have a frank discussion about leaving passwords behind for good. The security challenges are too great. By consigning passwords to the annals of computing history, we can adopt technologies that better protect users, while also delivering a superior user experience (UX).
Passwordless authentication isn’t a fantastic, futuristic dream. It’s today's reality. You likely already use passwordless technologies in your day-to-day life, like Apple’s Touch ID and Face ID, or Microsoft Hello. At work, you might sign on using a fingerprint or smart card. Or, you may use token-based authentication, proving your identity by generating a one-time password through a mobile application.
Learn more about how Okta can help you protect against password-based attacks in our Anatomy of Identity-Based Attacks whitepaper, and how we can help you reduce your reliance on passwords.