Despite how valuable corporate employees' passwords are and the best efforts of companies to protect their systems, user credentials keep ending up for sale on Dark Web forums. Even with the ever-advancing capabilities of the cybersecurity industry, corporate credentials from all industries appear in these notorious virtual auction halls to be used in a wide range of attacks, from simple phishing to complicated brute-force attacks.
Even cybersecurity companies are not fully immune to such threats. According to ImmuniWeb research, a staggering 97% of cybersecurity companies have data leaks and other security incidents exposed on the Dark Web.
Moreover, the research revealed that 29% of these stolen passwords are weak, with less than eight characters or without uppercase letters, numbers, or other special characters. About 40% of employees from the 162 companies surveyed reused identical passwords from accounts that had been breached. Note that we are talking about cybersecurity industry employees — so awareness is not the issue here.
When cybersecurity companies that should be well prepared to protect their employee data fail to do so, it seems that the problem is not the lack of protections around the passwords but rather passwords themselves. The time has come to question the use of passwords as a suitable authentication method.
High-Severity Account Takeover Exposures on the Rise
Leveraging stolen credentials is the No. 1 tactic used by hackers in recent years due to its relative ease and effectiveness. And since March 2020, the number of high-severity account takeover exposures where corporate credentials with plaintext passwords were exposed has increased by 429%, according to Arctic Wolf.
The prevalence of credential leaks highlights the impossible task enterprise security teams face. Password reuse on third-party sites beyond the borders of a company's perimeter is the main culprit behind most breaches. Unfortunately, we can't simply wish this problem away. Even though 91% of people know password reuse is insecure, 75% do it anyway, according to LastPass. Apart from nicely asking employees not to have such risky password hygiene, there are limited options for what company security teams can do.
LastPass also reports that an average employee keeps track of 191 passwords. The reality is that we cannot change human behavior. Humans will always opt for the path of least resistance, and in this case, that means convenience over security. Workers shouldn't be expected to come up with 191 unique login/password combinations that are complex enough to pass the requirements. But that is exactly what many organizations are asking for.
Addressing the Root Cause: The Password
There's one way to fully eliminate the vast majority of data breaches, ransomware attacks, and other devastating cyber incidents, and that is to stop depending on passwords. Secrets memorized by humans will always leave a huge crack for attackers, so why not eliminate this entirely?
Authentication based on something the user knows (such as a password, passphrase, or PIN code) is easy to steal, share, or reuse. Moreover, it requires constant management and handling by users and IT managers.
Passwordless authentication verifies user identities without relying on memorized secrets. Instead of passwords, identity can be verified based on:
- A "possession factor," which is an object that uniquely identifies the user, such as a one-time password generator, a registered mobile device, or a hardware token
- An "inherent factor," such as a person's biometric signature, like a fingerprint, face ID, or retina scan
Passwordless authentication is inherently more secure, offers a better user experience, lowers costs and IT overhead, and offers complete visibility into identity and access management by eliminating the possibility of credential reuse, sharing, or exposure.
We can't expect employees who are overwhelmed with passwords to keep good password hygiene. It is simply humanly impossible. The whole idea of a password is broken, as the unprecedented growth of credential-based attacks shows, and passwordless authentication fixes today's problems, rather than trying to wish them away.