The Pernicious Problem of Passwords
Amidst so much turmoil and societal change during the past few years, one core feature of humanity has remained the same: people are bad at creating strong passwords.
Despite warnings and recommendations, we still use the streets we grew up on, references to our high school mascot, phrases from our favorite movies, or the same word with a different set of numbers attached to the end for every login. The issue is a rampant one, identity management and fraud detection firm SpyCloud found in an analysis of breach exposures affecting Fortune 1000 enterprises.
“We found a 64 percent password reuse rate among Fortune 1000 email addresses in our database that have been exposed in more than one breach,” according to SpyCloud’s 2022 Fortune 1000 Identity Exposure Report. “This is four points higher than the 60 percent password reuse rate we see across our entire database, but it’s even more concerning because high password reuse is a trend we see with Fortune 1000 employees year after year.”
The researchers wrote that this trend is troubling because it means “that even their old exposures matter; criminals will use them against the employees and their enterprises for years as long as the habit remains unchanged.”
Another challenge is that the reuse of passwords is becoming an even greater point of contention for CISOs as ransomware attacks rise from exposed, reused credentials in breach records—a data set tied to an individual user in a breach that includes assets like passwords and phone numbers. Breach records associated with Fortune 1000 employees increased 18 percent year-over-year, SpyCloud found.
Reuse rate of passwords among Fortune 1000 email addresses.
“The quantity of breach assets tied directly to Fortune 1000 employees grew 26 percent year-over-year to 687.23 million,” the report explained. “The five sectors with the highest year-over-year growth in breach assets are telecommunications, media, industrials, technology, and business services.”
Even when employees do not reuse passwords, the new ones are sometimes incredibly simple or obvious—especially in data sets reviewed from critical infrastructure data breaches. In four critical infrastructure sectors (aerospace and defense, chemical, energy, and industrial), company names were one of the top three to five most popular passwords.
“In far too many cases, we’re seeing as many as half of the 10 most popular passwords at a specific company containing that company’s name,” SpyCloud said.
And once these assets, including credentials, are exposed, threat actors will use them to breach an organization. In nearly 50 percent of all non-error, non-misuse breaches examined in the 2022 Verizon Data Breach Investigations Report (DBIR), threat actors used legitimate credentials to gain unauthorized access to organizations.
While some experts continue to stress the use of password managers—which create complex passwords and store them for employees—to solve this problem, other developments might quash it entirely by killing the password for most users altogether.
That effort gained momentum in the second quarter of 2022 when Apple, Google, and Microsoft committed to expanding their support for the Fast Identity Online (FIDO) standard to accelerate the availability of passwordless sign-ins.
The FIDO standard was developed by the FIDO Alliance, an open industry association that is focused on reducing reliance on passwords by promoting the development, use, and compliance with standards for authentication and device attestation. The alliance has worked to create technical specifications for open, scalable, and interoperable mechanisms for user authentication that will eventually eliminate the use of passwords.
So far, this work has resulted in the development of FIDO Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework, and FIDO2. That work is now embraced by some of the largest technology players in the world to enable—and encourage—users to take advantage of it.
“The expanded standards-based capabilities will give websites and apps the ability to offer an end-to-end passwordless option,” the FIDO Alliance announced in a press release. “Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN. This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multifactor technologies such as one-time passcodes sent over SMS.”
With Apple, Google, and Microsoft’s commitments, users will be able to use two new capabilities for passwordless sign-ins. The first will let users automatically access their FIDO sign-in credentials on devices without re-enrolling their accounts. The second will let users enable FIDO authentication on their mobile devices to sign into an application or website on a nearby device, regardless of the operating system platform or browser they are using.
This works because FIDO introduced a new process that allows private keys used for authentication to synchronize across a device cloud, says Andrew Shikiar, executive director of the FIDO Alliance, in an interview at the 2022 RSA Conference in San Francisco.
“The private key is no longer on the device—it’s synced securely in a device cloud from a platform vendor, so when I go to enroll a new device on that platform, I can just show my biometric,” Shikiar explains.
Moving towards this workflow for authentication means that FIDO will be more scalable and may encourage more usability because once platform vendors implement it, users will have an easier time logging into accounts without needing to remember a password.
“Usability leads to more usage, and it can have top-line benefits,” Shikiar adds. “Security is sort of a bottom-line cost prevention—breach and theft. With better usability, you can have higher login rates so you have more commerce, more throughput, all of those things, so usability is really important.”
And implementing solutions that eliminate passwords could also reduce liability for organizations that sell products to consumers.
“Passwords lead to data breaches. They lead to account takeovers. They lead to fraud,” Shikiar says. “So, this stands to take that liability off of those organizations, off their servers and shoulders all together, and put it on to the platform providers.”
There will still be situations where organizations and users will want to use FIDO’s original security key authentication method—such as for access to intellectual property or for corporate financial management.
Passwords lead to data breaches. They lead to account takeovers. They lead to fraud.
“Ultimately, from a security standpoint, FIDO security key will remain the gold standard of FIDO authentication in the sense that the credential will always be on that key, it won’t be synced in the cloud, and they’ll have more control over it,” Shikiar says.
After making their commitment earlier this year to implementing FIDO, Apple announced at its Worldwide Developer Conference in June 2022 that it would roll out its implementation of the new FIDO standard in the form of a Passkey. Instead of creating a password when logging into a new account, users will have the option on iOS 16 to use Touch ID or Face ID to authenticate themselves—a Passkey. Users will also be able to synchronize their Passkeys across devices by using Apple’s iCloud Keychain.
“Passkeys are a replacement for passwords that are designed to provide websites and apps a passwordless sign-in experience that is both more convenient and more secure,” Apple said in a fact sheet. “Passkeys are a standard-based technology that, unlike passwords, are resistant to phishing, are always strong, and are designed so that there are no shared secrets. They simplify account registration for apps and websites, are easy to use, and work across all your Apple devices, and even non-Apple devices within physical proximity.”
Apple is expected to release iOS 16 in September or October 2022. Details of how Microsoft and Android will implement FIDO were not shared prior to Security Management’s press time, but Shikiar says he’s looking forward to seeing how they follow through to change the authentication experience most people have with technology.
“Passwords have the advantage of incumbency. They’re part of the fabric of the Web itself, and they’re manageable for usability in the sense that anyone can do it,” Shikiar says. “For us to uproot that, the new system needs to be just as easy and just as pervasive.”
While passwordless methodologies roll out, there are steps that organizations can take to improve their password approaches, the SpyCloud report authors said.
“To minimize exposure and safeguard data, enterprises need to enforce strong enterprise password policy with single sign-on where possible, create clear company policies on the use of business and personal devices, enforce multi-factor authentication on critical accounts, and mandate the use of password managers, as well as leverage continuous, actionable intelligence into their users’ exposure—especially in industries entrusted with a vast amount of sensitive consumer data.”