Passwords are a standard protection measure used in preventing unauthorized users from accessing computers, data, networks, and information systems. Additionally, individual users use passwords to protect their devices. Therefore, password security is a widely used mechanism both at home and in the workplace. Password management provides stipulations to ensure users create strong passwords, use secure methods to store and share them, and do not use a single password to secure all their accounts. That said, password management is the best practices, principles, and policies developed to achieve robust and efficient password creation and storage practices.
Five Statistics Show Why Password Management is Important
Most companies are adopting IoT technologies rapidly to increase employee productivity and enable work-from-home strategies. As such, they must ensure users adhere to recommended password security practices to protect critical IT assets from internal and external threats. However, the following five statistics show that a vast majority of organizations lack proper password use practices and, therefore, why they require to adopt the requisite password management strategies:
1. Most phishing victims don't change their passwords:
At least 57% of individuals who fall victim to phishing scams don't change their passwords. It is an unhealthy practice that can lead to unwanted security threats, including identity theft attacks.
2. Numerous organizations don't protect mobile device data:
A Ponemon Institute research showed that 45% of employees rely on mobile devices for work-related purposes, whereas 55% of IT staff allow employees to use mobile devices. Alarmingly, 62% of the IT security respondents stated that their organizations had not implemented proper mobile device protection controls, and 56% don't authenticate mobile users using recommended multi-factor authentication methods.
3. 2.2 billion unique passwords were exposed in 2019:
Various credential theft attacks compromised not less than 2.2 billion passwords in 2019. Additionally, the passwords were found in different dark web platforms, threatening individual and organizational security.
4. More than half of IT security staff retain the same password management strategies:
A recommended security measure is to change password management strategies after an attack. However, the Ponemon Institute research found that 53% of IT heads retain the same password management methods after an attack. It was also shocking that IT professionals and individual users responding to the research said they reuse passwords in an average of 12 and 16 work accounts, respectively.5. Young adults are overconfident in their internet security approaches:
A recent poll found that 71% of young internet users were confident they couldn't be victims of a phishing attack. But, interestingly, only 44% stated they understand how phishing methods work. The poll also found that 67% of young internet users share passwords using insecure online methods.
Password Management Mistakes to Avoid
Password management is crucial to maintaining high password security standards. Unfortunately, despite the above statistics showing the necessity of password management to organizational security, the following password management mistakes are rife in most companies:
1. Passwords based on known names:
Malevolent cyber actors use multiple combinations of known names to try cracking passwords of specific accounts. They may try combining the victims' names, siblings, friends, favorite personalities or places, and dates of birth until they get the right combination. Therefore, users should avoid using known names to create passwords.
2. Passwords based on adjacent keyboard keys:
Passwords created using adjacent keys are used often since most users perceive them as easy to remember. However, passwords like 123456qwerty are extremely common and easy to crack. Hackers require a few seconds to brute-force such passwords and should be avoided at all costs.3. Dictionary words-based passwords:
Any word in the English dictionary should not be used to create account passwords. Dictionary attacks crack such passwords by attempting all dictionary names hoping that the target has used them to create passwords. Instead of dictionary words, users should use a combination of special characters, symbols, and numbers to come up with hard-to-guess passwords.4. Reusing passwords to multiple accounts:
Numerous individuals reuse a single password to secure different accounts. However, an attack that compromises just one account can lead attackers to all other accounts. In this regard, users should strive to create a unique password for each account.
Common Password Management Vulnerabilities
A single data breach can result in adverse financial implications for businesses of all sizes. For instance, the average cost of a data breach today is $4.24 million, an amount that can put small companies out of business within six months. As a result, considering the financial repercussions of a data breach and the value of protected sensitive information, businesses rely on passwords and unique usernames to protect themselves from attacks. Nevertheless, using passwords may provide companies with a false sense of security, a weakness that cyber adversaries are too happy to exploit.
For instance, relying on passwords to solely secure data, networks, or information systems breeds several risks. The most common one is insider threats, where a malicious employee knowing the password and username of another employee can use them for harmful reasons and hide their tracks. As a result, it can be impossible to know or identify the culprits, while the innocent password owner takes all the blame. Besides, using someone else's login credentials for any reason without their consent is an instance of unauthorized access. Unauthorized access can cause massive data breaches, privacy violations, and data exfiltration.
In this regard, password management can be classified into technical vulnerabilities and user or organizational vulnerabilities. Technical vulnerabilities comprise insecure password storage methods and weak encryption techniques, whereas organizational password vulnerabilities consist of insufficient password security awareness among employees and a lack of required password policies.
1. Technical Vulnerabilities
Technical vulnerabilities are security flaws in a software or operating system. Several vulnerabilities negatively impact password management practices in an organization. Weak password encryption schemes are among the most common since most software developers and vendors perceive created passwords as safe, provided they don't reveal the source code of the implemented password encryption algorithms. However, this is misleading since attackers can patiently and persistently hack security by obscurity – security that relies on secrecy implementations. Attackers often crack the encryption code in software or operating system to reveal passwords and distribute them across dark web platforms.
Also, some programs store passwords in easily accessible databases, unsecured files, and memory. Therefore, individuals with technical know-how can utilize special tools to reveal the passwords. Besides, unencrypted databases provide access to anyone with database access permissions, enabling them to view stored passwords. Due to this, it is pertinent to utilize password management solutions that encrypt all password storage locations.
2. Organizational/User Password Vulnerabilities
Organizational or user password vulnerabilities occur due to user mistakes when managing their passwords. For example, employees may create weak passwords using dictionary-based or known words and expose an organization to severe security risks. Also, some employees may share passwords through unsecured, unencrypted channels through the internet. Man-in-the-middle attackers may then intercept the credentials and compromise all user accounts protected using the credentials.
In addition, reuse is among the rifest organizational password vulnerabilities. While some organizations require employees to change their passwords frequently, some users often repeat passwords instead of creating new ones. However, the essence of creating new passwords is to minimize the risk of malicious actors using compromised passwords to gain unauthorized access. Besides, some employees reuse the same password across multiple risks, potentially exposing the organization to security risks. It is easier for hackers to compromise accounts secured using the same password.
Password Management Challenges
1. Sniffing Attacks
Password sniffing attacks occur when attackers use network monitoring tools to capture (sniff) incoming and outgoing traffic. For example, an attacker, often referred to as man-in-the-middle, eavesdrop on the network connection between a user and an internet resource, such as an email account, and captures the usernames and passwords as the victim types them. The attack method is more common in public Wi-Fi networks with little protection or insufficient encryption protocols. For this reason, users should desist from accessing their accounts via insecure public networks. Also, organizations should implement the required encryption protocols in their internal networks to ascertain the encryption of transmitted login information.
2. Shoulder Surfing Attacks
Shoulder surfing is an attack technique used to capture login credentials, including PINs, passwords, and usernames. Specifically, adversaries obtain the information by observing a target, typically over their shoulder, to capture and record the keystrokes, hence the term shoulder surfing. Shoulder surfing may also entail eavesdropping on sensitive data related to a person and using it to gain access to protected accounts. Most attackers use the method in crowded places, whereas malicious insider threats can easily shoulder surf other employees as they log in to their work accounts. Expectedly, shoulder surfing often results in unauthorized account access, data theft, and illegal use of compromised accounts.
3. Social Engineering Attacks
Social engineering attacks seek to exploit a user's trust to get them to reveal sensitive information like passwords. It is one of the easiest methods malicious internet actors use to steal login credentials. For example, cybercriminals may pose as the IT help desk and send targeted phishing emails asking employees for their login credentials to 'rectify' a security problem. In other cases, hackers may trick users that their accounts have been compromised and they, therefore, need to log in and change them. However, the provided link could be a spoofed site that collects all user login credentials and sends them to a command and control server under the hackers' control.
4. Login Spoofing
Ideally, attackers create a fake replica of an account's login page. As a result, the user inputs the correct login credentials, thinking it is a legitimate login page. However, any login attempts cause the fake program to query for the required password and username, records the provided credentials, and often display an invalid login message and log out the fake replica of the login page. In most instances, users may think they have provided the wrong details or made a typographical error. As a result, they try to log in, and this time succeeds. Hackers prefer using this method to target employees with high access privileges, such as system administrators.
5. Brute Force Attacks
Brute-force attacks involve using automated software designed to generate all possible password combinations and trying each combination to compromise a user account. The automated tools try different combinations of special symbols, letters, and numbers that conform to recommended password rules until the right combination works. Organizations can resolve password management challenges resulting from brute-force attacks by limiting the number of times a user can try different passwords. For instance, restricting unsuccessful password inputs to three tries and locking out users, say for an hour, can make it hard and infeasible to guess every password combination.
Password Authentication Methods
The password management vulnerabilities and challenges mentioned above can affect any organization. Cyber actors exploit them for one primary reason – to steal passwords and usernames and use them to access confidential company resources without authorization. In light of this, password authentication methods are necessary measures for managing the security of user login credentials.
1. Single Sign-On (SSO)
SSO is an authentication method that allows users to access multiple systems or applications after logging in to a related application. It is a convenient authentication method since it eliminates the need for creating multiple login credentials for different user accounts. Companies use the SSO authentication scheme in centralized domains, such as an Identity Access Management (IAM) system, and creates secure SSO links between related IT resources. The benefits of SSO authentication include the ability to monitor employee authentication across a domain. Also, it logs out users from the linked resources after they end an active session.
2. Password Authentication Protocol (PAP)
PAP is one of the most used authentication protocols but deemed to be less secure. Essentially, the method requires users to provide a correct password and username to access system resources, and that's it. A system can authenticate anyone with the correct combination of login credentials. However, most password authentication protocols lack encryption and often relay the login credentials in plain text. Luckily, deploying strong network encryption schemes can prevent unauthorized entities from accessing the information.
3. Extensible Authentication Protocol (EAP)
EAP supports multiple forms of user authentication, including smart cards and the use of one-time passwords. The protocol provides a high level of security when applied in wireless networks since it enables built-in encryption to protect mutual authentication between a remote service and a specific access point. Specifically, EAP authenticates the identity of a user through the authentication server before connecting the access point requesting the login credentials to the external server. The process is encrypted and authenticates user identity both at the external server and at the access point.
4. Challenge Handshake Authentication Protocol (CHAP)
The CHAP identity authentication protocol uses an encrypted three-way 'secret' exchange to verify the identity of a user in a given network. Particularly, the network router first sends an authentication 'challenge' to a remote host. Then, the remote host sends back a response encrypted using an MD5 hash function. Upon receiving the response, the network router matches its hash value (expected response) to determine whether the response from the remote host matches the request. If the router determines the response and request match, it establishes a secure authenticated connection, referred to as the handshake, or denies access if there is no match.
5. Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) uses multiple items to authenticate the identity of a user trying to log in to a system. It is a secure method that prevents unauthenticated users from unauthorized access even if they know the correct username and password combination. MFA requires users to provide additional authentication information, such as a validation code or biometric only known to the legitimate user. This way, MFA ascertains that only a legitimate user can log in and access protected system or network resources.
6. Biometric Authentication
Biometric authentication relies on a user's unique biological features to authenticate their identity. Therefore, biometric authentication is beneficial since it easily compares the biological attributes with authorized features in a database to verify user identity. Besides, organizations can decide to include biometric authentication in MFA schemes as additional authentication items to prevent malicious individuals from using stolen passwords to gain unauthorized access. Common biometric authentication methods require fingerprints, voice recognition, eye scanning, and facial recognition to authenticate users with the correct password.
7. Certificate Based Authentication
Certificate-based authentication uses digital certificate technologies to authenticate user identity. A digital certificate contains a user's digital identity, including the certification's authority's digital signature and a public key. The client must possess a valid certificate that identifies the client to the remote server during the authentication process. The client also maintains a database holding the private keys corresponding to the digital certificate's public keys. Upon entering the correct password and username, the client uses the private keys to sign the digital certificate digitally and sends it to the remote server via a network. The server then uses the digitally signed certificate and corresponding public keys to authenticate the user and authorize access to server resources.
