Passwords have been around since ancient times and they now serve as the primary method for authenticating a user during the login process. Individuals are expected to use unique username and password combinations to access dozens of protected resources every day – their social media accounts, banking profile, government portals and business resources.
Yet, to save time during the login process and reduce the difficulty of having to recall multiple sets of login credentials, individuals have succumbed to the malpractice of recycling usernames and passwords across their accounts. While this may be a time-saving practice, they are opening themselves up to monumental risk: the unfortunate truth is that cybercriminals with access to one user’s set of breached credentials can reuse that password and username combination in order to obtain unauthorized access to accounts with much more sensitive data, including healthcare portals with critical protected health information (PHI).
On top of this, attackers can use breached personal information for highly targeted, and highly effective phishing attacks. To combat this epidemic and protect users, enterprises will need to rethink their current approach to the user-login journey.
The reality of password malpractices
Despite increased investments in global information security spending, companies still continue to get breached, and the majority of the time this is due to poor password practices. The reality is that once data breaches occur, cybercriminals will sometimes opt to sell the stolen information on the dark web to other wrong-doers. In fact, there are a plethora of sites on the dark web where a threat actor can buy pilfered credentials.
For example, last year 617 million account details from 16 hacked websites have been found for sale on the dark web – and for less than $20,000 in Bitcoin. These lists of credentials are typically aimed at credential stuffers, which explains why the price point was just a few thousands of a cent per account (credentials).
Even the fact that some of the passwords in this instance were hashed did not deter attackers. Account details from 500px, a photo sharing service, were found for sale in this specific data dump, and some of the account details included were hashed with the message digest algorithm five (MD5). However, MD5 is infamous for no longer being cryptographically secure, as the 128-bit hash it generates can be broken in mere seconds. This adds to the reason why four out of five global data breaches are caused by weak and stolen passwords.
What are organizations currently doing to augment password security?
Some enterprises choose to improve password security by increasing their policies and requiring the inclusion of a greater number and diversified types of characters in passwords. Unfortunately, some users still choose to use passwords such as “123456” as well as “qwerty” and “password” when creating logins for new accounts. More complex passwords may also encourage end users to resort to writing down their password or picking to reuse a password. A password discovered on a “sticky note” or in a hacked database is no longer secure, regardless of its complexity.
Companies may also choose to schedule more frequent password resets, but this practice can be costly as the average large company spends over $1 million on password resets annually. Even though users may be prompted to choose a new password for the specific account undergoing a reset, that user can still opt to choose to use the same password from another profile, further adding to the password-reuse epidemic.
What should organizations be doing to secure the user login experience?
To eliminate weak password mishaps, password-free authentication methods will become more widely adopted. This includes the use of out-of-band steps on mobile devices, which are a form of two-factor authentication (2FA). This means that logins may require an additional layer of identity verification through a separate channel, typically with a smartphone or even a hardware-based token.
Gartner even estimates that 90% of midsize businesses, as well as 60% of large and global enterprises, will implement password-free authentication processes in more than half of all use cases by 2022. With Apple’s announcement that they will join the FIDO Alliance, an open industry association with a goal to “reduce the world’s over-reliance on passwords,” the end of passwords may come even faster.
Passwordless authentication practices will not only improve security posture, but they will also save organizations money by not requiring password resets. Additionally, password-free methods will improve the overall user experience by reducing friction in the login process.
In order to prosper in today’s digital economy, businesses will quickly learn that creating personalized and secure experiences that exceed customer expectations will pay off tenfold down the road. Passwordless authentication is just one step an organization can take in order to grow its business and obtain a competitive advantage through superior customer experiences.