It's a process that, by now, is almost as familiar as writing one's name: Before being granted access to an application or account, a platform must verify that the user is who they say they are. The person is taken to a login screen, which asks for his or her username and password. Even with advances being made in fingerprint and facial recognition, passwords are still to go-to when it comes to authentication credentials.
However, password usage has also become increasingly problematic as of late. Weak or obvious passwords boost the risk to the user, and raise the chances that a hacker will be able to breach the device, account or network being protected.
Today, we'll take a deep dive into passwords, including what vulnerabilities weak passwords can open up and how to improve authentication security.
Problem: Weak passwords create data breach risks
By now, news of a data breach isn't as earth-shattering as it once was. Large-scale breaches take place on a near-weekly basis, if not more often. However, this doesn't mean that users and companies should be lackadaisical about their data security.
According to a recent Verizon RISK team study, organizations across every industry is at risk for malware, hacking and data breaches. While these instances will widely vary depending upon the business being infiltrated, the hacking strategy and the cybercriminal or group behind the attack, certain activities put companies at a higher risk. Researchers found that of the data breaches taking place in recent years, weak or stolen authentication credentials were the top cause of a successful breach.
"For years, experts have warned about the risks of relying on weak credentials to restrict access to data, and this is still a problem," Dark Reading contributor Fahmida Rashid wrote.
Of the breaches studied in the report, a staggering 76 percent came as a result of weak password usage. In addition, 48 percent of attacks were related to passwords stolen via infection, phishing or stolen password lists. Researchers also estimated that if stronger passwords or multi-factor authentication were used, 80 percent of attacks could have been thwarted or prevented.
Compounding the issue: Website password policies
It's no secret that a weak password can lead to a breach. However, one study shows that the websites requiring these credentials might not be doing enough to encourage the use of strong authentication.
A recent Dashlane study showed that the majority of the top websites being used today had subpar policies for password usage. Of the 80 websites included in the research, 86 percent failed to earn a passing score when it came to their password policies. Researchers used a 0-100 scale, and the majority couldn't earn a 50 or above.
Some websites did better in the study than others. Apple, for example, earned a perfect score. The Microsoft Store website, UPS, Kaspersky Lab and Target also scored high. However, American Airlines, Expedia, LivingSocial, LinkedIn and Amazon all scored below 50. Match.com got the lowest score of the study, with a -70.
"These websites are not doing their jobs," said Dashlane CEO Emmanual Schalit. "There are so many easy targets out there. Whenever [a hacker] bumps into a target that is more protected, they will make the rational decisions and go to the next one. Hackers are professionals, they're not just kids in basements. They are large, well-funded organizations, but they need to spend their resources wisely. And they do that by going after the easy targets."
In this way, users that have particularly weak authentication credentials are low-hanging fruit for cybercriminals.
Even hackers aren't immune
The issue of weak passwords is common throughout user bases – a 2014 study from Avast found that even hackers use passwords that aren't difficult to guess. Avast security analyst Antonin Hyza examined a total of 40,000 hackers' passwords that had been recently leaked. Of these, Hyza was able to guess that on average, passwords were six characters long, included lower case letters and numbers and were in English.
"I looked at 40,000 samples of hackers' passwords and found that nearly 2,000 were unique and 1,255 of those were in plain text. Another 346 passwords were easily cracked from MD5 hashes, because they were shorter than 9 characters. That gave me a total of 1,601 passwords and 300 hashes," Hyza noted. "That was not as hard as I expected, and most of hackers' passwords are even weaker than those that normal people use."
Overall, only 10 percent of the 40,000 passwords could be considered "beyond normal capabilities of guessing or cracking," Hyza stated. These strong credentials were longer than usual – some contained as many as 75 characters – and used special characters in addition to letters and numbers.
A single password for every account
Even strong passwords aren't without their complications. Schalit noted that a password in itself can be strong, but if it is used on multiple accounts, it is doing nothing to protect the user's privacy and security. Not only does this go against best practices, but hackers "know that most people tend to re-use the same password on multiple sites," Schalit pointed out.
"Having strong passwords is good, but it's not the most important thing. The most important thing is to have a different password on each and every website. If you give this new website the same password you've been using everywhere else, it's essentially the equivalent to giving the keys to your house to someone you've never met."
Tips to improve passwords
When it comes to password creation and usage there are several best practices users can follow. Trend Micro's Richard Medugno encouraged the use of password manager to help keep all the different passwords users utilize for their accounts secure. In addition, he also recommended:
- Not using common or easily-guessed passwords such as 123456, ABCDEFG, or simple phrases like "I love my cat" or "Daisy."
- Include at least 12 characters as well as a mix of upper and lowercase letters, numbers and special characters, where possible.
- Consider using an acronym to make the password easier to remember. For instance, the song lyric "I'm just a poor boy from a poor family," becomes the password IJAPBFAPF.
- Don't use obvious information for security questions such as a mother's maiden name, a hometown or pet's name. This information could potentially be guessed or found on social media or other platforms. Instead, security questions should be something only the user can answer. Medugno noted that these answers don't even have to be truthful – the point is that the user remembers.
- Don't store passwords in Web browsers or other documents. In fact, passwords should not be stored on a user's personal computer at all unless within a password manager.
Passwords represent keys to security, but only when they're strong and not used in multiple places. Boost your password security with Trend Micro's Password Manager. Contact Trend Micro for more information.