In an age when data breaches seem to dominate the headlines almost every other week, the global threat to password security is a concern for everybody.
Back in January 2019, one of the biggest data leaks in history saw 770 million users’ email addresses and passwords published onto a hacking site. The incredible volume of data was attributed to multiple sources. In particular, users of LinkedIn and MySpace were affected, as well as millions of email addresses.
Weaknesses in traditional password management systems
Attacks of this magnitude have served to highlight the vulnerabilities in traditional password setups. 99.7 percent of people still don’t have a different password for each account, which means breaching new accounts using people’s previously leaked credentials has become easier as more data is harvested.
At the same time, hacking has become more accessible and cheaper, as tools like phishing kits and data dumps can be bought online by anyone, requiring low levels of technical skills to operate. Some of the most common hacking techniques comprise:
– Phishing: This is when hackers send emails to lure people into typing their passwords on a “phishing site” that looks like the original site. More than 90 percent of successful hacks and data breaches stem from phishing.
– Credential stuffing: This is when hackers use previously leaked password/login combinations to attempt to log in to other websites. Over 90% of login attempts are automated and run by bots.
– Password spraying: This is a variation of credential stuffing, except that the attempts are limited in number per time so it looks like a genuine human error.
– Brute force attacks: this is when hackers run scripts to “guess” a password based on trial and error. The software can extract relevant data such as users’ dates of birth from social media profiles and feed this into the script for a faster result. This can take less than 24 hours.
– Dictionary attacks: this is when hackers simply try password guess attempts based on words that can be found in the dictionary of the company/user’s target language.
– Spider attacks: this is when hackers study the general language used by a company, for example their brand name, and use this to guess passwords such as company1234. For example, they may study information published on a website and use it to gain access to the company wi-fi passwords.
In addition, in cases such as the abovementioned biggest data breach in history, your password security may be compromised again if you have been targeted before. Regardless of the password strength, if that same password or a variation is used in other accounts, those accounts are now vulnerable to attacks such as credential stuffing or password spraying.
In response to these attacks, in recent years it has become commonplace for email providers and social networking sites to offer two-factor authentication. This asks users for an additional access point, for example, a text message sent to a user’s personal mobile phone when trying to log in to their emails.
However, this are not without its own faults, as hackers have found ways to circumvent that obstacle. The most common methods are SMS intercepts when text messages in transit are hijacked, exploiting weaknesses in the cellular network, or SIM swap, when a hacker collects personal data like date of birth or address through phishing and social engineering, then tricks a mobile carrier employee into rerouting a subscriber’s phone number to the hacker’s SIM card.
In recent years, to tackle the seemingly unsolvable password challenge, many companies and individual users have used password managers to help with their sheer number of passwords. Others have tested password-less authentication.
The help and limitations of cloud password managers
A cloud password manager offers a centralised alternative to remembering hundreds of passwords. All of a user’s passwords are stored in a cloud, and the software asks you to remember one super-strong password, also known as a master password. All the user has to do is enter this password to gain access to all of his/her passwords stored in the cloud.
While this offers a very convenient solution, there are two major risks attached to the method. Firstly, with only one password to access all others, users may be in trouble if they forget this, or if the password becomes compromised. Secondly, with all passwords stored on a cloud, amongst many other people’s, this makes those particular servers a prime target for hackers. Many breaches have been reported over the years including the most recent one in January 2019.
Biometrics involve the use of fingerprint, face or retinal scan to identify a user and give them access. Today they are most commonly seen on smartphones, giving users instant access with fingerprints, however they may also be used on mobile payment software or to give access to buildings.
The obvious advantage of biometrics is that they cannot be “guessed”. Each fingerprint is entirely unique to the individual, and this comes in handy for uses such as two-factor authentication. Some mobile phones, for example, may use fingerprint and passcodes for access.
While this method is safe for local use like accessing your mobile phone, it becomes highly risky if used by an organisation, including a State, to identify users, as we know every organisation is a potential victim of a data breach. In July 2018, 1.5 million patients were affected by a hack on the healthcare system of Singapore, one of the most technologically advanced countries in the world. The problem here is if biometric data does become compromised – for example, if somebody clones your fingerprint or your face, the user cannot change that “password”.
Therefore, to mitigate the risk of losing passwords or getting your identity hacked, a much safer alternative is to adopt a decentralised risk model in conjunction with localised biometrics use.
Fully distributed and decentralised risk model
This is effectively the “best of both worlds”. Rather than storing passwords in a potentially hackable cloud, each password is held on an individual local device, like a smartphone or a tablet. All passwords are encrypted and protected in one of three levels of security, depending on how sensitive the accounts are.
Access to these passwords is granted via a combination of methods, including:
- Unique pin
- Lock pattern
- Facial identification
- Voice passphrase
Those allow fast and protected access to the passwords. Importantly, as those identifications are kept locally on the device, and not on the cloud, they cannot be hacked either.
Now if you are a victim of a data breach through one of your accounts, your other accounts will not be compromised. If hackers were to gain access to your email address, for example, they could not proceed further without that unique password.
For added convenience and safety, advanced functionalities allow users to copy and paste difficult passwords from a smartphone to a desktop rather than typing them, to synchronize encrypted passwords across multiple devices, and to back up encrypted passwords in case they break or lose their main device.
Staying safe online
As a rule of thumb, to stay safe online:
Use strong passwords
Short, easy to guess passwords, based on date of birth or other data, are prone to attack. 98.8% of passwords are in the 10,000 passwords list. Use 12 digits or more with a selection of upper and lower case, numbers, and punctuation marks.
Do not re-use passwords
Once a hacker has one, he/she has them all, so keep them different. Likewise, variants are easy to guess, such as substituting capital letters or numbers, so keep them distinct.
Do not write them down
Well-intentioned Post-its, notepads and spreadsheets can easily fall into the wrong hands.
So far, how people choose to store their passwords has been entirely up to them. However, as people need more and more passwords each year, remembering passwords has become a dreaded thing for many. If they are concerned about forgetting them, people can now conveniently store their passwords using a decentralised password solution that mitigates the risk of losing them.
Julia O’Toole is founder and CEO of MyCena, a patent-pending decentralised password solution to protecting passwords from cybercriminals.