Credential-based authentication is the method nearly all network users are used to and has been a common tool for decades. But unlike other decades-old technology, passwords have not been phased out of regular use.
Now more than ever, passwords pose a serious risk to the integrity of secure networks and offer an easily exploitable blindspot for bad actors to gain unauthorized network access. Credential theft is often cited as the catalyst for data breaches that cost organizations thousands to millions in damages. What about passwords makes them so susceptible to theft?
Poor Password Experience for the User
A Burdensome Authentication Method
A common complaint about the overall online experience today is the number of passwords people have to deal with. People are expected to have unique passwords at work, at home, for their bank, for their streaming service, for all their different apps – the list could go on forever.
Research from NordPass found that the average internet user has somewhere between 70-80 passwords. And they better be able to keep all those passwords straight when they have to go through the annoying process of manually entering credentials. If they enter the password wrong too many times, you often get locked out of the account, have to enter additional identifying information to prove your identity, and change the password to something new. The entire process is a hassle, and a user has to contend with this for 70-80 accounts.
Organizations, such as universities or businesses, store a large amount of valuable data. As a result, they often institute a password reset policy to bolster the strength of credential-based security. After a certain amount of time passes, usually between 2-6 months, all passwords expire and must be reset for every network user.
While this does help reduce the risk of stolen passwords being used to enter the network, it’s an enormous roadblock for users. They have to reset and reconnect every device they have connected to the network. A network that hosts hundreds to thousands of users will have a huge number of connected devices, and a password reset will likely lead to a huge influx of IT support ticket requests.
This process can bring an entire organization to a pause while everyone sorts our their passwords, resulting in huge costs to the organization and a blow to productivity.
Password Best Practices
In addition to password reset policies, there are a number of different guidelines that should be adhered to to follow password best practices and maximize the security they can offer.
The number one piece of advice given is to avoid the use of simple passwords. Passwords that are single words, or use information personal to the user (such as a pet’s name) can be easily cracked by an attacker using a number of different attack methods, which will be explored in greater detail later on.
Using complex passwords, or even passphrases, can make it much more difficult for a hacker to be successful. But having dozens of unique, complex passwords often leads to users breaking this next best password practice; never write your passwords down. A piece of paper can be easily lost, and a notepad of passwords can be easily stolen. If an event like this happens, your accounts are at high risk of being exposed and exploited.
Another common mistake is reusing passwords across multiple accounts. If a hacker obtains one password, they automatically have access to a number of accounts. It makes the process of accessing a user’s information that much easier.
To follow best practices, many people use a password management software to keep all their unique, complex passwords organized. Of course, if you opt to use this type of software, it’s vitally important to thoroughly research the security standards of the company that developed it. A breach here would be devastating to those that depend on it.
Thwarting Password Security Isn’t Hard
In the 2020 Verizon Data Breach Investigations Report, they discovered that 79% of hacking breaches leveraged stolen credentials. This staggering statistic highlights the utter failure in the security provided by passwords.
There are countless attack methods for obtaining credentials or circumventing credential-based cybersecurity systems. Below we have detailed some of the most commonly used attack methods.
MITM attacks can be executed with a laptop and an access point. A potential attacker has to configure his setup near an organization, or a location that many organization members spend time (such as a coffee shop).
Then they would broadcast a strong network signal to trick users’ devices into connecting to it and sending their credentials. From there, they are able to simply farm credentials and obtain as many as possible. For more detailed information on MITM attacks and how to defend against them, check out our complete guide here.
Phishing is a social engineering attack designed to trick users into doing one of two things: open a malicious link, or send sensitive information. This attack is often executed over email, which is why it’s important to provide secure email messaging for your organization.
A phishing attack often uses psychological tactics, such as fear, urgency, or reward incentive. Also, it’s vital to ensure you know who an email is sent by, as many attackers are adept at impersonating someone like a company executive to manipulate a target.
Brute Force/Dictionary Attack
A brute force attack requires an attacker to use software that will send every possible letter combination to find a correct password and gain access. Credential-based authentication methods such as EAP-TTLS/PAP and PEAP-MSCHAPv2 do not account for this and as a result, an attacker can send millions of queries in an unbelievably short amount of time.
A dictionary attack is very similar, but instead of random combinations, it will send every word in a list in an attempt to bypass network authentication.
Rainbow Table Attack
An attacker with a rainbow hash table would attempt to decrypt passwords stored in a database using a hash function. Data is often stored in a hashed format so it can’t be read as plaintext. A rainbow table attack uses a hash function to decrypt the hashed passwords.
This type of attack is among the least technically advanced hacking attacks. The attacker simply enters the hashed passwords into a rainbow table and executes the function.
After an attacker obtains a list of stolen credentials, they will then use them to force their way into a network through legitimate authentication. These lists are widely available for purchase on the dark web. Leaks of large amounts of passwords are often high profile news stories, such as the massive leak from Yahoo in 2014.
Missing Identity Context with Credentials
One of the greatest failings of password-based authentication is the lack of trust a network admin can have that users are properly identified. When a user enters their username and password, there is an assumption that they are using their own credentials, but this is not always the case.
It’s incredibly easy to use another person’s credentials to access a network, and it’s easy to miss this sort of misidentification. Approximately 34% of American workers admitted to sharing their passwords with coworkers, and this has the potential to create significant conflicts in a workplace.
If an employee using someone else’s credentials was to steal data from an organization, the wrong person could be framed and fired as a result, or worse if criminal activity was perpetrated. It also creates the opportunity for an outside actor to gain network access with anonymity and makes it difficult to identify how a network breach was enacted. Accurately identifying network users is key to maintaining network integrity and accountability within an organization.
Authentication Alternatives to Passwords
When examining the mounting evidence, it’s clear that passwords cannot be trusted to maintain authentication security or properly identify who is accessing the network. So what is the alternative?
Multi-factor authentication (MFA) requires multiple forms of identity for a user to be identified: something you know (ex. a password), something you have (ex. a hardware key), or something you are (ex. biometrics).
MFA has proven to be highly effective against preventing unauthorized network access. With each added layer of complexity, it is exponentially more difficult for outside actors to break into the network.
Of course, added complexity works both ways. With more layers of authentication needed, there is bound to be more confusion on the network user side. It is more cumbersome for users to provide multiple forms of authentication, and this presents greater opportunity for misconfiguration and IT support ticket requests. Ultimately, it is a trade-off of convenience and security.
The gold standard of authentication relies on x.509 digital certificates. A device equipped with a certificate is automatically authenticated when in range of the network and it cannot fall prey to any of the credential attacks above thanks to public key cryptography. It’s more convenient for users and provides much stronger security to protect the network.
The key to using certificates effectively is an effective onboarding software. Allowing users to configure certificates manually is asking for a huge influx of IT support tickets. The process requires high level IT knowledge to comprehend; it’s simply an inefficient process when left to the user.
SecureW2’s JoinNow onboarding solution allows users to self-configure their devices in minutes with a few simple clicks. The user connects to the secure network, is prompted to prove their identity, and then the JoinNow solution configures the device automatically and equips the user with a certificate that can be set to last years.
With certificates, a user’s only interaction with the authentication process will be the initial configuration process. After that, they are always automatically authenticated and can browse without issue.
Credentials have been used for decades, but much like VHS, analog television, and the typewriter, they are outdated and should be replaced by modern improvements. New solutions have risen that cover the weaknesses of passwords.
The security liability that passwords present is reason enough that organizations should consider seeking alternatives. If you’re concerned about the risks credential-based authentication creates, check out SecureW2’s pricing page to see if our cost-effective certificate solutions are a better solution to protect your network.
*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Jake Ludin. Read the original post at: https://www.securew2.com/blog/are-passwords-secure/