Padlock / code / hacking

Weighing the costs of poor password security

Password security is a perennial problem for most organizations. Users and employees have chronically poor passwords, and cybercriminals capitalize on these errors to gain access to personal and business accounts. In recent months, the number of credential stuffing attacks, which attempt to leverage breached credentials to access new accounts, has grown.

A successful credential stuffing attack comes at a high cost to the target organization. Deploying cybersecurity solutions that can reduce the risks associated with poor password security, such as Identity and Access Management (IAM) tools, comes with a much lower price tag.

Password security is extremely bad

The problem with passwords is that, while no one likes them, no one has come up with a better idea. Password-based authentication systems are the most common means for managing access to a service because they are simple, and they work. An easily implemented system that users understand is much more likely to gain widespread adoption and use than a more secure system that doesn’t resonate with the users.

However, passwords are an extremely insecure method of managing access to an application. In theory, they are a good idea since users can choose a password for each site that is long and complex enough that it is computationally infeasible for an attacker to crack. In practice, people use the same password across multiple different sites, and these passwords aren’t even strong in the first place.

Cybercriminals automate credential stuffing attacks

This use of weak and reused passwords creates a serious problem for personal and professional cybersecurity. Data breaches have become a near-daily occurrence, and a common piece of leaked data is a list of user email accounts and hashed passwords.

Hash functions are cryptographic one-way functions, meaning that a cybercriminal with access to a password hash cannot reverse-engineer the original password from it. However, password hashes are also deterministic, meaning that hashing the same input with the same hash function always produces the same output.

With weak passwords, this makes “guess and check” attacks against lists of password hashes possible. Every year, a list of the most common passwords is published by a few different organizations. These lists aren’t generated by asking people for their passwords. They are created by cracking password hashes leaked in data breaches. If the “good guys” can do this so easily, it makes sense that the “bad guys” can too.

After cracking a user’s password on one site, a cybercriminal can take advantage of the 53% of people that reuse the same password across multiple accounts. For many online accounts, the username is the email address of the user, which is also commonly exposed alongside password hashes in data breaches.

As a result, cybercriminals have everything they need to attempt logins for other online accounts.

Since these attacks are so easy and so successful, they are becoming increasingly common and automated. In fact, bad bots, performing credential scraping and other malicious actions, account for 24% of all Internet traffic.

The impact of a successful credential stuffing attack

Most people, when put on the spot regarding their weak passwords, say, “I don’t have anything worth stealing.” However, a high percentage of credential stuffing attacks target user accounts at financial organizations. A failure to use unique, strong passwords on banking sites and for other online accounts can put an individual’s finances at risk.

The threat of credential stuffing is not limited to an individual’s personal life. 62% of employees admit to reusing the same password across personal and business accounts. This means that a poor password security policy can put an individual’s workplace at risk as well. During the COVID-19 pandemic, telework became very common and increasingly accepted, with many organizations contemplating a permanent switch to remote work for some or all of their workforce. This meant that organizations are opening up remote access to a growing percentage of corporate resources from the public Internet, making them vulnerable to credential stuffing attacks. This is in addition to common Software as a Service (SaaS) applications, such as Office 365 and G-Suite, which are hosted in the cloud.

Organizations relying upon passwords to protect publicly accessible corporate resources are at serious risk of a data breach or other cybersecurity incident. An attacker with an employee’s login credentials, stolen from a poorly secured website that shares the same password, could put an organization out of compliance with data protection regulations or under threat of lawsuits for breach of contract.

The importance of strong IAM

The problem of poor password security is unlikely to go away any time soon. The risks associated with poor password hygiene are well-known and well understood by most people. However, the majority of the population chooses to accept these risks – both on their own behalf and on that of their employers – in exchange for convenience.

Protecting against the risks associated with poor password security requires deployment of security solutions capable of minimizing the impact of a compromised password. Implementing IAM solutions, such as multi-factor authentication, can help to decrease the probability that an attacker can successfully leverage a breached password into access to the corporate network. Other IAM tools, including behavioral monitoring of user accounts, can be deployed in a detective role, enabling an organization to identify potentially compromised accounts and take action to remediate the issue before a data breach occurs.

Any cybersecurity solution comes at a cost to the organization’s budget; however, the price tag associated with a strong IAM solution is much lower than that associated with a data breach or other cybersecurity incident that it could prevent. The average cost of a data breach is in the millions, making the price of deploying strong security the much cheaper option.

Photograph by Typography Images