User apathy reduces power of password protection

Despite increasing awareness around the risks associated with poor password protection, cyber security experts warn the problem is getting worse.

This area of cyber defence came under the spotlight on 4 May when the world marked Password Day.

Cyber security experts say while the attention is welcome, they are still concerned about poor passwords, increasing vulnerability, the number of breaches and a lack of technical resources to effectively protect resources.

Enterprise password security and multi-factor authentication (MFA) technology company Intercede says its Password Breach Database now contains over six billion records of compromised password credentials.

Steven Hope, product director MFA at Intercede, says, “Everyone is aware of the password problem. The technology and expertise are available to solve it, but today we find ourselves announcing that things are getting worse. In fact, approximately 80% of data breaches have their origins in weak, shared, and reused passwords. The simple truth is if someone wants to exploit weak or compromised passwords, it can be done with relative ease at low to no cost.”

Douglas McKee, director of vulnerability research, Trellix Advanced Research Centre, says addressing the power and pitfalls of password management remains just as important to cyber security today as it was ten years ago. "With only a third (34%) of CISOs reported having the technology and tools available to enable their organisations to be secure, even seemingly small efforts like implementing strong passwords remain a critical first line of defence against cyber attacks.”

Francois Scheün, systems engineer at Fortinet South Africa, says humans have cognitive limitations when it comes to memorising random strings of characters for every account and site they use.  "They tend to resort to easy-to-remember words and phrases, or sequential letters or numbers. Worse, they tend to reuse the same passwords across multiple sites and accounts. This exposes them to password-based attacks, such as credential stuffing, where hackers use leaked password databases to try to access other accounts with the same credentials. Password extraction strategies such as phishing and social engineering are also becoming more sophisticated and convincing,” says Scheün.

Approximately 80% of data breaches have their origins in weak, shared, and reused passwords.

Steven Hoep, Intercede.

The 2022 Verizon Data Breach Investigations Report revealed that 82% of attacks exploited the human element, often the user identity itself. Insufficient policies or enforcement around password management increase the likelihood of a security breach. In fact, compromised credentials are involved in nearly 50% of attacks.

According to Fortinet, passwordless authentication can help. This is a method that allows a user to log into a digital resource, such as a banking website, without entering a password. Instead, they are verified and granted access using tools such as biometrics, facial recognition, hardware, or digital tokens.

Another way to simplify secure access is Single Sign-On (SSO), an identification method that enables users to log in to multiple applications and websites with just one set of credentials.

“An example of SSO is when a user logs in to Google and their credentials are automatically authenticated across linked services, such as Gmail and YouTube, without having to separately sign in to each individually. This eliminates the need to manage and remember multiple usernames and passwords across various accounts and services,” says Scheün.

Biometric authentication is one of the most popular forms of passwordless authentication, as it leverages the unique identification features of users such as fingerprints or facial recognition. However, the technology has some drawbacks as well, says Scheün.

“Biometric authentication relies on the fact that unique identification features such as fingerprints will not change much, if at all, over the course of their lifetimes. This also means that if a data breach occurs and a central repository is compromised, the fingerprints of those users will always be at risk.”

Scheün believes that the need for convenience will drive the demand for passwordless authentication. “The ease of use around using passwordless technologies will accelerate their adoption. Users will connect to digital resources with less frustration and more peace of mind, knowing that they are secure.”

However, passwordless authentication is not yet widely adopted and supported, and it may have its own challenges and drawbacks. Not all digital resources and platforms have the capability to support passwordless authentication methods currently, but as adoption grows, this will change, says Scheün.