Throughout the entire month of January, The Fintech Times will be exploring every dimension of one of the industry’s most pressing topics: cybersecurity.
As we soirée into our final phase of cybersecurity coverage, this week we’ll be investigating the backbone of the practice itself – passwords.
Passwords form the base of everyday cybersecurity, and they’re the primary line of defence between personal, sensitive data and the claws of cybercriminals. In this week’s coverage of the topic, we’ll be taking a look at the relationship between biometrics and passwords, the future of the password industry and how you can better manage yours.
But before we move onto those intriguing topics, today we must start at the beginning, with how passwords are being broken.
How are passwords being broken?
“Password attacks are a common form of a corporate and personal data breach, with hackers breaking passwords in order to gain access to systems, networks or physical locations, or for financial gain,” explains Jason Dowzell, CEO and Co-Founder of Natural HR. “Research has found that a staggering 81 per cent of data breaches in 2020 were due to compromised login credentials.”
Due to developing advancements in technology, the techniques used to infiltrate passwords are becoming increasingly sophisticated; keeping pace with the speed of cybersecurity innovation. And although the armoury being utilised by cybercriminals is becoming ever-more extensive, recent data has highlighted the prevalence of some techniques over others.
Namely, phishing attacks, which were experienced by 75 per cent of businesses at some point during 2020, which come in as a hot favourite. “Phishing is the use of deception in email or other electronic means to obtain private information, such as passwords, from users,” comments Therese Schachner, a Cybersecurity Consultant at VPN Brains. “An example of phishing is an attacker sending an email or creating a web page, impersonating a well-known brand and prompting users to log into their accounts, with an incentive such as a major sale. Unsuspecting users who enter their login information unknowingly send their passwords and other login credentials to the attacker.”
As one of the key byproducts of the pandemic, more and more consumers and businesses are developing a wider online footprint whilst embracing the daily use of technology. However, the downside of this advancement is that an increasing number of users are also becoming more vulnerable to these types of attacks; especially in regards to the prevalence of ever-remote corporate teams.
As Dowzell explains, dodgy emails open the door to cybercriminals, whilst also compromising password security: “Phishing usually takes the form of an email, perhaps from IT, a senior manager or your email provider, requesting that everyone reset their passwords and to click a link to do so. Often, these links will lead users to fake password reset pages in the hope that users will reveal their password voluntarily.”
Aside from off-the-hook email-based attacks, cybercriminals are also exploiting homegrown software to bypass and disrupt password stability. Known as malware, this form of attack can boast many differing facades. Viruses, worms, rootkits and ransomware are all commonplace within a malware attack, and as Schachner goes on to explain, so too is the use of keyloggers and trojans: “Attackers use keyloggers to covertly record and exfiltrate the keys users type on their keyboards, including the passwords that users type while logging into their accounts. Another type of malware is remote access trojans (RATs), which allow attackers to obtain clandestine remote access, with administrative privileges, to a computer. Using RATs, attackers can extract saved and cached passwords and take screenshots of login pages where users have entered their credentials.”
Schachner goes on to describe other techniques used to surpass passwords, including the use of cracking tools: “Cracking tools test large quantities of common passwords and passwords that have been leaked, as well as variations and combinations of them, until they guess the correct passwords. With these tools, attackers can make educated guesses about passwords in an efficient manner.
“An example of one of these tools is Hashcat, which computes the hash, or value that represents a sequence of characters, of each password the attacker guesses. Hashcat then compares each hash to the known hash of the correct password in order to determine whether the attempted password is correct.”
The Wider Issue
Although we’ve considered a handful of the malicious practices used to break passwords, the wider attitude around passwords and password management could also be contributing to their weaknesses. For anyone who’s ever used a password, the difficulty in remembering them will be a familiar sensation. Although many sites recommend the use of capitals and special characters to strengthen a password, this approach could also lend itself to their downfall. “Many businesses operate strict policies to change passwords every 30, 60 or 90 days, which, in fact, often leads to weaker security,” explains Dowzell. “Employees have countless passwords to remember and being forced to change these at regular intervals leads to poor security hygiene as they take to writing them down or making them as easy to remember as possible.
“As such, many rely on poor practices and use simple passwords like ‘123456’, ‘qwerty’ or even ‘password’ across multiple systems and accounts. Ultimately, this makes it easy for cybercriminals to crack passwords and access data or systems that they shouldn’t be.”
In light of this however, James Bore, Director of Bores Consultancy, points to a lack of host security as a catalyst towards password inefficiency: “Generally passwords are now broken through cases of password reuse and site compromises. If you use a password on a banking site, and on a small online shop, then if the online shop gets compromised (and has bad security practices) that password and the accompanying email address are now effectively public knowledge. Of course, there are also extensive dictionaries of common passwords used in brute force attacks, and rainbow tables are used to retrieve hashed passwords from compromised sites, but reuse is how the vast majority of passwords are broken.”
The Bottom Line
Although password management is an area that’s due to be explored a little later this week, it is still worth mentioning some of the remedies that could be put in place to prevent the progression of these malicious tactics.
As Dowzell explains, the best offence is a good defence, which could include the likes of public education, the use of extended caution online, and of course, the implementation of more complex passwords: “Employees should be encouraged to use caution, avoid clicking on any links from unknown senders and to question even a recognised sender if the email is suspicious. As a result, training employees on what constitutes a strong password, how to practice good password hygiene and how to identify security threats or phishing attempts is critical.
“Passwords should be created with length (the longer, the better!) in mind, rather than complexity (including upper and lowercase letters, numbers, and special characters) to make them harder to crack.”