What’s the most effective way of reducing password theft?
October 15, 2018
Emmanuel Schalit, CEO, Dashlane, on reducing password theft for the benefit of businesses and consumers.
Identity theft in the UK was recently described as reaching ‘epidemic levels’, with almost 175,000 incidents last year, and accounting for more than half of all recorded fraud. Much of this is as a result of password theft which, according to a study by Google, was being carried out at the rate of at least 250,000 a week between March 2016 and March 2017.
With high-profile breaches regularly making the news, consumers are understandably concerned that their passwords are being exploited for nefarious purposes. Businesses should be concerned too; these same consumers make up their workforce, so password theft could also represent a significant risk to corporate security.
While it’s certainly good practice to use different passwords for different sites and applications, the reality is that remembering dozens of unique combinations of upper case and lower case letters, numbers and symbols is practically impossible. As a result, most people will tend to reuse the same password over and again, for personal and corporate accounts.
As the lines between work life and home life become increasingly blurred with new practices such as remote working and BYOD, this stands to become a major security issue for both the individual and their place of work. But, as the number of breaches continues to grow, this will only make it easier for cyber-criminals to carry out fraudulent activity.
Passwords are unlikely to be replaced in the foreseeable future, however, so a more secure way of managing them is needed.
A password to a privileged account can unlock a wealth of highly sensitive personal, financial or corporate data, which can often prove extremely valuable on the dark web. With breaches of 57 million and 110 million customer records respectively, the experiences of both Uber and U.S. retail giant Target are examples of the risks that password theft can pose to an organisation’s network or systems.
Corporate breaches can also lead to the passwords of customers themselves making their way into the dark web. 92 million passwords were exfiltrated from genealogy site MyHeritage, for example, and 150 million from Under Armour’s MyFitnessPal app. As mentioned, many of these passwords will have been reused with their users’ corporate accounts and, with email addresses and logins available online, bad actors are able to put two and two together. Indeed, a database of 1.4 billion credentials was discovered on the dark web recently, including a number of government, police and military email addresses, while a separate investigation found over a million corporate email addresses from the UK’s top law firms available for sale, 80 percent of them accompanied by passwords.
Cyber-criminals rarely have trouble acquiring these passwords. Many are stored in plain text files, for example, while others can be cracked and then tested en masse by determined hackers equipped with the right automated tools, widely available on the dark web.
More recently, the breach at Facebook highlighted the implications of having centralised credentials spread across multiple websites. Imagine if a business tool used at work happened to be secured by a Facebook token, the details for which were then bought by criminals – the consequences could be more than identity theft. Think theft of IP, business failure, or even a customer data breach – which could mean bankruptcy under GDPR for many organisations. All this because of a brief moment lacking in cyber hygiene.
All of this activity creates a vicious circle; organisations are breached and hundreds of customer passwords are exposed which, in turn, can be used to carry out identity fraud against their owners, and to target their work accounts, and thus steal more information, and begin the cycle again.
From accessing social media accounts and online banking applications, to paying utility bills and watching movies, passwords are the key to our increasingly digital lives. But they can also grant access to an organisation’s most important corporate and customer data.
Our own research found that the average U.S. user has 150 online accounts requiring a password, and this is set to double over the next five years. Best practice may require strong, complex and unique passwords to maximise security, but this is clearly not practical for so many accounts. Even if a user was to change just one character for each, the system could eventually be cracked by the right automated software.
The only truly effective way of mitigating risk, therefore, is to eliminate password reuse entirely and use strong credentials, updating them immediately should a breach occur. While this will involve a degree of education for employees, it will also require an investment in tools designed for secure password management. The best of these will be easy to use, automatically generating and remembering strong and unique credentials for each account so that users don’t have to. In addition, they may include advanced features such as the ability to sync across multiple platforms for anywhere, anytime access; secure sharing of credentials within a user’s ‘inner circle’; and even two-factor authentication, eliminating the need for passwords altogether.
Kurt Thomas, anti-abuse researcher at Google, suggested that “passwords are no longer a paradigm that you can really trust in”. Whether or not you agree, it’s clear that they should be managed more securely. Organisations need to get smarter about password security, and educate employees so they can be positioned as a robust first line of defence. If password theft isn’t adequately addressed, an organisation, its employees and its customers, and those of many other organisations, will remain at risk.