The traditional username and password combo is no longer fit for purpose

According to Cisco Talos's latest Quarterly Trends Report in almost 40 percent of incidents responded to in the quarter, adversaries gained initial access by abusing compromised credentials to access valid accounts, a 22 percent increase on the previous quarter.

One of the biggest issues is that users often choose passwords that are simple and predictable, and they often reuse the same password across multiple sites and accounts.

We can force them to use more complicated passwords through policies, but that makes them harder to remember.

I use a service that insists on a password that’s at least 10 characters in length, contains a a mix of upper and lowercase characters, and at least one special character. It further insists that I choose a new password every 30 days, which is completely different from any password I’ve used before. And when I login in it asks me for three random characters from the said password, rather than the whole thing. It sounds pretty secure, but the mental gymnastics involved means I have to write it down!

And so there is this constant trade-off between security and usability. The user experience is fundamentally important, because users are more likely to adopt tools that are easy to use, and conversely, more likely to find workarounds if the tools are cumbersome.

Brute Force Attacks

Passwords are vulnerable to brute force attacks. This is when an attacker uses automated software to repeatedly guess passwords until they find the correct one. With the increasing computing power available to attackers, it is becoming easier and faster for them to crack passwords through brute force attacks. Longer, more complex passwords, are harder for attackers to crack but more difficult to remember, hence the insistence on using upper and lower-case, numbers and special characters, which is intended to increase the number of permutations. Ultimately though, the only real defence against brute force attacks is limiting the number of password attempts, because given enough time and unlimited attempts any password is vulnerable.

Phishing Scams

Phishing scams are a common method used by hackers to steal passwords and other sensitive information. In a phishing scam, the hacker sends an email or message that appears to be from a legitimate source, such as a bank or social media site, but is actually a fake. The message typically asks the user to click on a link or download an attachment, which then installs malware or directs the user to a fake login page where they enter their username and password.

Phishing scams can be difficult to detect, as the messages often look very convincing. However, there are some warning signs to watch out for, such as misspellings or incorrect logos in the message. The other giveaway is a sense of urgency in the request. Like most cons, phishing scams, will usually try to panic the user into behaving irrationally. For example, some money has been taken from your account and we just need to verify, etc.

Bottom line phishing emails are sent out on an industrial scale. They only need a tiny number of recipients to fall for them for it to be worthwhile.

To protect against phishing scams, it is important to be cautious when clicking on links or downloading attachments from unknown sources.

Better still employ DNS-Layer security. This involves using a DNS service that blocks known malicious domains and prevents users from accessing them. By blocking these domains, DNS-layer security can help prevent users from falling victim to phishing scams and other cyber attacks. It can be implemented quickly and easily, without requiring users to install any software or make any changes to their computers or devices. It’s a quick and relatively inexpensive security win, and we recommend it to all our clients.

Keylogging

Keylogging is another method that hackers use to steal passwords and other sensitive information. It involves software that records every keystroke made on a computer or mobile device. This means that every password, username, credit card number, or other piece of information that is typed into the computer can be captured by the keylogger software.

Keyloggers can be installed on a device through malware or phishing scams. Once installed, the keylogger can run in the background, completely undetected by the user. This makes keylogging a particularly insidious method of stealing information.

The idea of entering specific characters from a password rather than the whole thing, is largely to protect against keylogging. In reality though the best defence is to keep your operating systems and software up to date, and to use antivirus and anti-malware software.

Data Breaches

The other way passwords get into the hand of wrongdoers is through data breaches. When a company experiences a data breach, it means that hackers have gained unauthorized access to their systems and have stolen sensitive information such as usernames and passwords.

Companies can be very slow to acknowledge data breaches, either because they don’t know they have occurred, or because they are worried about reputational damage. In either case the information can be in the hands of wrongdoers for, in IT terms, a very long time, before the problem is made public.

This is where using the same login details across multiple sites and accounts is particularly dangerous, for once you have a valid username and password combination, you can try using that same combination to access other systems.

Forcing users to choose a new password periodically is a common defence against data breaches. It’s basically saying, let’s assume that password has been compromised, and make the user chose a new one. The problem is it makes the password harder to remember.

Unauthorised Sharing

Lastly, unauthorized sharing is another security risk associated with passwords. When users share their passwords with others, they are essentially giving those individuals access to their accounts and sensitive information. Usually it’s not done maliciously, rather there is some policy or permissions issue that’s stopping someone access some system or information they need, and rather than wait for IT to sort it out, it’s easier to ask to ‘borrow’ someone else’s username and password.

The other way of sharing unintentionally is the post-it note reminder stuck to the monitor!

Multi-factor Authentication (MFA)

Multi-factor authentication (MFA) requires users to provide a second method of authentication that cannot easily be stolen, in addition to the password. This can be a security token or some biometric method, for example, a face scan or fingerprint. This makes it much more difficult for hackers to gain unauthorised access to sensitive information or accounts.

So let’s take the security token as an example, as it’s the easiest to implement and doesn’t need specialist hardware, scanners, etc. How does it work?

The user provides a username, and let’s face it nine times out of ten that’s their email address. Then their password which they remember, or more likely ask their web browser to remember. Then they are asked for a security token. This is usually a six-digit number. Some systems will email or text the number to the user, another way is to generate the number using a mobile phone app, such as Cisco DUO. The number/token is only valid for a short amount of time.

It’s this time-limit that makes token-based MFA particularly effective. Because each  combination of username, password and security token is only valid for a couple of minutes it provides very good protection against all the attack methods previously described.

The initial set-up of MFA usually involves scanning a QR code on the website or application concerned the first time you use it. This seeds the token generator in the authenticator app. From that point the app will generate a seemingly random sequence of six-digit numbers every couple of minutes. In truth the numbers are generated by a cryptographic algorithm, based on a secret key that is known only to the app and the service being accessed. This secret key is shared between the app and the service when the user initially sets up MFA using the QR code. Its both highly secure and very effective.

Most importantly though, it’s easy to use, and therefore likely to be used. That’s why we recommend implementing Multi-Factor Authentication wherever you can.

We can offer a 30-day free trial of Cisco Duo Access Edition.

For more information please call +44 1226 761188 or email info@oxspring.com

_{Duo Security, now part of Cisco, is the leading multi-factor authentication (MFA) and secure access provider. Duo comprises a key pillar of the Cisco Zero Trust offering, the most comprehensive approach to securing access across the IT applications and environments, form any user, device and location. Duo and Cisco are registered trade names of Cisco Systems, Inc.}‍

_{Cisco Talos is a registered trade name of Cisco Systems, Inc.}