On February 14, dating site Coffee Meets Bagel sent an email to its users, informing them that an unauthorized party may have gained access to their data. This is not the kind of Valentine’s Day message you would expect from a website that is supposed to help you find love.
Coffee Meets Bagel was part of bundle online services whose stolen user account information were liquidated on the dark web a few days earlier.
Although it came at a very bad time, Coffee Meets Bagel isn’t the first and nor will it be the last case where hackers gain access to sensitive user records. Data breaches happen, and they happen very often.
And with every breach comes a feeling of dread and fear. What kind of data have the hackers accessed? Do they have my password? Have they sold it? Will they be able to log into my account and see all my history and activities? That last bit can be very scary, especially when a sensitive service such as a dating website becomes hacked (there have been cases of suicide over such hacks).
But what’s worse are the unknown damages that data breaches and password leaks can cause. For instance, if you’re using the same password across several accounts (you’re not supposed to, but many people do this, including Facebook’s CEO), a data breach in one service can quickly spill into other services.
The business of selling and protecting passwords
Credential theft has become the focus of a lucrative business on the dark web. The latest batch of stolen user data, which included Coffee Meets Bagel, comprised a total of 617 million records from 16 websites and was being sold at $20,000 worth of bitcoin on the dark web.
Stolen passwords serve numerous destructive purposes, such as doxing private information, extortion, spreading of false information, financial crimes and impersonation attacks. In 2017, the hacked Twitter account of a Qatari news website caused a crisis in the Persian Gulf region. Hackers have even developed ransomware that uses stolen or weak passwords to gain access to victims’ device and encrypt their files.
Credential theft has also become such a serious problem that it has given rise to an entire industry of “post-breach” services and experts for helping recover accounts and mitigate damage after breaches happen. One example is Troy Hunt’s Have I Been Pwned, a website that consolidates stolen credentials and can tell you if your username and password have turned up in any data breach. “Have I Been Pwned” sits over a repository of more than 300 hacked websites and 6 billion stolen login credentials.
A new tool released by Google saves you the effort of looking up your name and password in data breach dabases. Password Checkup is a Chrome extension that automatically warns you if your password has turned up in a data breach. Password Checkup supports most U.S. websites and tracks 4 billion stolen credentials.
Post-breach password tracking services have become especially popular after major hacks at critical services such as Equifax, Yahoo, Daily Motion and LinkedIn. They help consumers and businesses alike constantly keep track of stolen credentials to make sure they’re not affected. (Meanwhile, hackers are also keeping track of stolen passwords to consolidate data from various data breaches and stage attacks on new, unhacked websites.)
But while useful, these services are like applying band-aid to an infected wound that is festering from within. As long as passwords exist, all these services can do is reduce the time between the theft of credentials and the victim’s response. They do not address the fundamental problem and risks that passwords pose to the digital lives of users and companies.
Passwordless authentication to the rescue
While our security relies on keeping a string of characters secret, we can’t eliminate the fear and consternation of who else can access our accounts.
If you have a chronic problem of losing your door keys every week, you don’t change the keys every time you lose them—you get a new lock that doesn’t require keys.
The same goes for credentials: Instead of regularly changing passwords and tracking password leaks, you bank on authentication solutions that remove passwords and secrets altogether and replace them with passwordless and multifactor authentication. When you have nothing to hide, you have nothing to fear about.
Passwordless solutions solve some of the endemic problems that arise from the existence of passwords and password breaches:
In credential stuffing, hackers use username and passwords from previous data breaches to attempt automated logins on new services. Since many people use the same email and password combination for multiple services, this method gives hackers new venues to use their stash of stolen secrets.
Key logger attacks
In key logger attacks, hackers install a malware on the victim’s device which records their key strokes and sends the data to a server that belongs to the hackers. The attackers then peruse the collected data for sensitive information such as username and password combinations.
In social engineering attacks, hackers trick their victims into revealing passwords and other sensitive information. The most popular type of social engineering is phishing, in which attackers send deceptive emails to their targets and use provocative messaging such as account lockout notices, hack warnings, and special offers to trick the victim into clicking on a link and entering their credentials in a spoofed, malicious website behind which the attackers are sitting and listening.
Password guessing attacks
In password guessing attacks, hackers don’t have a victim’s password but uncover it by using one of the following methods:
Brute force attacks: The attacker tries every possible password combination until one of them works.
Dictionary accounts: The attacker uses a list of passwords and keywords obtained from previous breaches to attempt to log into an account.
Rainbow tables: Rainbow tables are databases that map hashed sequences to their plain-text equivalents. Hackers use rainbow tables to turn hashed passwords obtained from a data breach into plain passwords.
Man-in-the-middle (MITM) attacks
MitM attacks involve attackers compromising the communications between two parties to monitor the information they exchange, including any usernames and passwords one party might send to the other.
The threat of passwords won’t go away
All the above attacks are possible only because of the existence of passwords and secrets to verify the identity of users. On the other hand, none of these attacks are possible against passwordless systems simply because there’s no secret to guess, intercept or steal.
As long as we’re sending, remembering and storing passwords to protect our online accounts, we will be vulnerable to the various types of password-based attacks. And as technology advances, hackers will become faster and more capable in guessing and cracking longer and more complicated passwords. Meanwhile, the human brain remains limited in its capability to remember longer and more complicated passwords.
Enterprises and organizations that are serious about protecting their users and online assets should consider passwordless solutions today.