Kill the password before it kills you A Tale on Password Security

Kill the password before it kills you : A Tale on Password Security

Written by
Calvin Hoenes

August 28, 2020

Learn more about the product, pricing and features of AuthN by IDEE.

Request a free demo today!

Table of contents

The password is the single biggest cause of security breaches worldwide and it kills your business.

Passwords are everywhere.

Would you like to

…transfer money?

…access your company’s software?

…make a purchase in a new online shop?

…simply login to an app that you haven’t used in a while?

“Please enter your password.”

Almost every device, every app, every program, every shop and every platform today requires your identification using a password for one single purpose: to prove that you are you.

In this article we have simplified the complicated technical processes using concrete examples to help you understand what makes passwords a devastating security risk.

82% of cyber breaches are caused by passwords

Passwords are always weak.

The weakness of the password lies in its vulnerable character.

To understand why, it is necessary to understand what a password is.

Your password is a set of secret characters (numbers, letters, symbols). It is used to grant access to a computing device, web services or other.

This means your password is static and as a result, either memorized or written down. These two characteristics of a password are the root cause of all security issues associated with passwords.

Users use weak or common passwords such as “12345678”, that attackers can guess within seconds.

The first problem lies in creating the password: On average, a person can remember a combination of 7 characters or numbers without any visual support. This means that a password needs to be simple for the user to remember it easily. According to recent studies, 10% of people have used at least one of the 25 worst passwords on last year’s top list of the top 100 worst passwords. The most common password used on the internet is still “123456”.

Complex passwords are not secure either and can be hacked easily.

Most of the security companies recommend using complex passwords from a combination of numbers, punctuation marks, capital letters, etc. to secure your account. But it makes no difference, if your password is complex, for two reasons:

1. A hacker can re-compute your password thanks to special software

2. Hackers use specific methods and technologies to simply re-compute your password. Common ways to do so are so called dictionary attacks or brute force attacks. Both methods are based on software and algorithms, which guess your password by combining billions of possibilities within seconds based on standard password requirements (e.g. 8 characters, min. 1 capital letter or min. 1 number).

So even if your password is more complex, it’s just a matter of time, before it can be re-computed.

1. Users can’t memorize complex passwords

2. As passwords get more complex, it is harder for users to remember them.

Therefore, users have to find a way to retrieve complex passwords when they forget them. One potential solution is using password managers (). But using a password manager creates an even bigger issue – “master passwords”. If a hacker knows your master password, he has access to everything. Master passwords can be re-computed within seconds (see 1 above).

52% of users re-use passwords

Password re-use is the #1 cause for breaches

As mentioned in the beginning – almost every device, every app, every program, every shop and every platform today require your identification using a password for one single purpose. To manage all these different accounts, 52% (!) of users are re-using their passwords – with fatal consequences!

Why re-using your password is so dangerous

Re-using the same password on different – or worse – all sites makes it possible for a hacker to get to different or all of your accounts – just by attacking the weakest link.

An example

Your current LinkedIn account is secured with a strong password and the company uses high security standards. But what about your old Hotmail address or MySpace account?  

It is likely your login-data (among experts: credentials) was 1 of the 359.420.698 stolen credentials during the giant MySpace breach in 2008. Could it be that you used the same password you are using now for a different account? Then MySpace is your weakest link.

For a hacker it doesn’t matter how strong LinkedIn’s security is today. Your user account including passwords has been stolen 11 years ago amongst millions – and stored online ready for purchase and use today by any hacker. This is called credential stuffing.

And MySpace is just one example of thousands of breaches which happened over the last years. And despite all these breaches over half of the users still re-use their passwords.

Recent figures of the State of the internet security 2018 confirm even 8.2 BILLION such malicious login attempts (so called credential stuffing) were reported within one year.

Your passwords are already available for download

Cracking passwords is not even necessary. Username + password combinations are readily available for download on the internet.

Let’s stick to the MySpace example. The gathered credentials of breaches like this are shared within the hacking community (more known as Darknet). Hackers collect the harvest of those breaches and store the stolen credentials in so-called torrent files and provide them to others for download. And those files are collected and stored forever.

And breaches happen every day. Not only to the big names but too small, old websites, where users were signed in ages ago and in most cases don’t even remember that their old accounts still exist. In conclusion the number of passwords available increases – day by day and without being noticed by the user.

In fact, it is highly likely that your password has already been hacked somewhere. And due to the re-use of passwords, an attacker might have one of your important ones (like your Google password, your Apple AppStore password, or your Dropbox password), too.

And if not, users get phished – a hackers’ easy access

And if the passwords are not available for download, hackers just phish users by sending them to a fake website and let them voluntarily provide their login credentials.

To improve security, companies started adding another “security factor” to their login process, e.g. SMS PINs. But the weakest link is the user itself and companies can’t do anything to prevent that. Because users give their pins and passwords voluntarily; often without ever noticing. This is called phishing.

An example

Imagine you receive an e-mail sent by your bank. The subject is urgent, someone tried to withdraw money from your account and your bank insists to check this instantly. And of course, it’s not you withdrawing money – you are sitting in the office right now, reading the e-mail.

So, what do you do?  

You click on the button in the e-mail which is supposed to lead you directly to your banks’ website. There you enter your login information as usual. You enter your password, you receive a PIN via SMS on your phone and enter this code as well. Your access is granted, and you are led to your banks’ landing page.

What happened? You’ve been successfully hacked by phishing method and now kicked out of your own account.

How is this possible? Here is, what happened in the background:

The e-mail you received was fake. The website you were led to was also a fake one, adapted to the look and feel of the original one. When you entered your username and password, this information was directly sent to the hacker. While you were waiting for your SMS PIN, the hacker went to the original website of your bank, typed in your username and password and thus triggered a real SMS you just received.

When you typed in the SMS-PIN at the fake website, also this information was directly transferred to the hacker, who now just had to enter your SMS-PIN to the original website – and was granted access.

This is just one example of thousands of possibilities for phishing. And for those websites and accounts which are secured without 2nd factors like SMS it is even simpler.

Conclusion: The password needs to be removed.

Because as long as passwords are being used, user accounts will get hacked. Since it’s really improbable that users will be removed as the weakest link anytime soon, you have to kill the password.

And this means, you have to find a solution, that

- Is convenient for users

- Is secure and cannot be hacked centrally

- Prevents attacks such as phishing

Hence many security experts voice their interest and the need to move towards passwordless authentication. If you want to know more about passwordless authentication, better understand the limits, risks and best practices, check out our expert's guide to passwordless authentication.

Related posts

If you enjoy our content here, you’ll love the stuff we share on LinkedIn.

If you like our content
follow us on LinkedIn

Follow us
linkedin icon white

MSP Partner Program

Find out more about becoming an MSP partner

Learn more