What you need to know about password vulnerabilities (Pt. 2)

SDO Marketing Staff | February 7, 2018

In our last post, we delved into how threats from the outside capitalize on common password vulnerabilities.

No matter how well an enterprise is strengthened against external dangers, passwords will still present security threats that emanate from the inside.

Here’s the breakdown of common password vulnerabilities:

Simple passwords – Weak Passwords Risk

As computing power becomes increasingly available at affordable prices, attackers find it easier to break into accounts through brute-force methods, such as testing every possible combination in super-rapid succession to find the right password.

“Weak passwords are a crook’s best friend. Make yours long and complex, and change them often – not just on your bank account but on your email and social media, too.”
Jean Chatzky

To avoid being brute-forced, users must choose passwords that are longer and more complex, containing lower- and upper-case letters, digits and symbols. They must also change their passwords regularly. This puts a lot of strain on users, especially when they must make the same considerations for dozens of online accounts.

A lot of users avoid taking such measures. Year after year, studies find that such as “654321,” “password” and other poor passwords remain extremely popular.

Password reuse

One of the recommendations any cybersecurity expert will give is to avoid reusing passwords across multiple accounts. However, when users must maintain long and complex passwords across several accounts, they tend to reuse their passwords verbatim or with small variations.

When hackers find the password to an account, they can quickly gain access to other accounts that use a similar password. This is exactly what happened to Mark Zuckerberg when LinkedIn got hacked.

Hard Copy Exposure

Following the recent false alarm of Hawaii’s missile warning system, questions began to surface about the integrity of the state’s digital infrastructure. Officials insist that that the false alarm was due to human error and the state’s system was not hacked. However, a recently surfaced media published photo showing a note with a password posted to a PC monitor inside Hawaii’s Emergency Management Agency, called into question the security practices of the organization. A cyber criminal would have likely been able to use this carelessly exposed password to execute far worse than a false alarm on the state’s systems.

It’s a simple fact of life.

Because users need to remember passwords for all of their accounts, they inevitably resort to making hard copies of their passwords. Unfortunately, this practice leads to serious security compromises, as hard copies tend to be easily exposed. Research has shown that this compromising practice has been widespread for years, and it continues to be a common phenomenon among users today.

Weak Password Policy

Enterprises information and security officers (CIO/CISO) are required to deal with compliance and password policies; The simpler a policy is the more vulnerable the organization is, the more complex a policy the higher the risk of human error.

And to make a long story short the more complex a password is the easier it is to forget, increasing the total cost of ownership (TCO) due to password resting process.

Storing secrets

Companies and organizations that use passwords to authenticate their users burden themselves with the responsibility to protect those secrets. This means storing them in secure storages and encrypting them to protect their users against data breaches.

These entities often fail to stand up to their duties. LinkedIn had stored the passwords of its users (including Zuckerberg) in encrypted format when it was hacked in 2012. However, it had used a poor algorithm (SHA-1), which made it trivial for the attackers to decipher the passwords. In 2015, giant toymaker VTech was hacked, and since it had used the obsolete MD5 algorithm to encrypt user passwords, it made it easy for hackers to access the accounts of millions of children.

What are the solutions to password vulnerabilities?

It is now evident beyond the shadow of a doubt that plain passwords are extremely bad security practices. Fortunately, there are several ways that, as an organization, you can secure your users without complicating their experience. Following are some of the solutions that can protect the hundreds of millions of people (like Zuckerberg) and organizations (like LinkedIn) from falling victim to password vulnerability exploits every year.

  • Multifactor authentication (MFA): MFA involves using several pieces of information to authenticate the identity of the user logging in to a service. With MFA, even if hackers obtain users’ passwords, they won’t be able to gain access to their accounts because they’ll need the other tokens as well. Find out more about MFA here.
  • Password-less authentication: Instead of storing and exchanging passwords, password-less authentication technologies use other methods to verify the identity of users. Find out more about password-less authentication here.