The Passwordless Future Can’t Come Soon Enough • The Registry


Passwords, long a weakness in the tapestry of defenses designed to keep businesses and individuals secure, continue to be a problem due in large part to the same problem that has haunted them for years: the users themselves.

In a report released today, SpyCloud researchers found that despite the growing sophistication of bad actors and headlines surrounding cyberattacks, many users continue to exhibit poor password hygiene. , including using the same or similar passwords for multiple accounts or weak or common passwords. Passwords.

Additionally, more than two-thirds of passwords that were hacked in previous years are still in use, according to SpyCloud’s 2022 Identity Exposure Report. The company found that 64% of consumers repeat passwords for more than one account and 70% of compromised passwords are still used.

The data in SpyCloud’s report is consistent with what other cybersecurity vendors see. Lookout recently published a list of passwords most commonly found on the dark web, the top four being 123456, 123456789, Qwerty, and Password.

Passwords have long been a security concern, especially as more and more work and business is done online. Consumers can now have over 100 accounts in their work and personal lives that need passwords. The rapid shift to remote work caused by the COVID-19 pandemic has only accelerated this trend. Most people will not only continue to work from home at least some of the time even when the pandemic subsides, but they will also have become accustomed to doing more of their personal business online. ®

Reports such as those from SpyCloud and Lookout only fuel the argument made by some vendors – with Microsoft among the leaders – that passwords should be abandoned in favor of a number of other alternatives, such such as biometric technology (such as fingerprints or eye scans), security keys, authenticator apps or verification codes sent to a mobile device or via email.

“At a basic level, everyone at least understands the logic behind choosing a complicated, hard-to-guess password when signing up for an account,” said David Endler, co-founder and chief product officer of SpyCloud, at The Register. “However, in practice, especially looking at some of the data in our report, it’s clear that bad password habits are still very prevalent. Part of that is laziness. Another part is consumer sentiment. way of, ‘Why would anyone bother to target me or me? What’s interesting about me?'”

There will always be specific attacks targeting individuals or businesses, but weak passwords also contribute to threat actor practices like credential stuffing, where cybercriminals use stolen usernames and passwords on one website to try to connect to another, often using botnets to fuel the efforts. , Endler said. Attackers can then steal credit card data, make fraudulent purchases, and use the information in phishing attempts. They can also sell the information.

In total, researchers at SpyCloud — whose products help prevent account takeovers by bad actors — identified 1.7 billion exposed credentials in 2021, a 15% year-over-year increase. the other, and 13.8 billion recovered personally identifiable information (PII) records stolen in the latest breaches. year.

Passwords are tricky. Authenticator apps, security keys, or text messages sent to a cell phone are techniques that have been around for years. However, what they are up against are the habits that consumers have accumulated over decades.

“What we’re up against as a society is there’s this built-up muscle memory around creating an account and logging into company sites,” he said. .

Two-factor authentication has also been available on sites for years, but adoption is slow because not everyone wants to take that second step. However, Endler pushed back against the idea that the campaign for passwordless authentication has stalled.

“These things take time because for decades this is how we know how to create our accounts, register our accounts and log in to our accounts and seeing changes like this takes time,” Ender said. “It also adds friction in the online account creation space. I don’t know if all sites are enthusiastically embracing this technology because they have to weigh that up and counter that with user friction.”

A person can take certain steps, including enabling two-factor authentication – which can also be used with biometric technologies – on the sites they use and using a password manager not only to store all their passwords , but also to generate unique passwords for these sites. . To protect against fraud and protect PII, people should review their credit history and lock their records with major credit agencies.

Everything people do will help protect businesses, especially in a time when remote work continues to blur the lines between work and personal life.

“One way to think about it is that the enterprise attack surface hasn’t changed,” he said. “It’s just that the way we think about it has changed a bit since we’ve all been working from home for two years. At home, we have a lot more devices in front of us than we use to access resources. These devices don’t necessarily have the same benefits as corporate endpoint protection, so we’ve seen more and more malware infections for people working from home.”

When they use an infected device, they can log into the enterprise system, illustrating the overlap between consumer threats and the enterprise attack surface, especially considering the various applications that people are using that are outside of the organization’s protective shield, Endler said, adding that “if someone is using a personal account on one of these systems and maybe not picking the best password, it has a ripple effect on the enterprise attack surface”.

Ultimately, the charge toward a passwordless future will likely be led by device makers and browser developers, he said. Sites will likely continue to integrate device or browser technologies, which should help reduce threats.

“But keep in mind that many of the accounts that emerge from these data breaches were created years ago,” Endler said. “We are still years away from that dream as we should catch up to the point where people are only registering new accounts using services like Apple’s Hide My Email.”


Comments are closed.