Password Protection: How Far Can Hackers Get?

Author: Steve Durbin, Managing Director, Information Security Forum

For years, passwords have been the dominant means by which organisations authenticate customer access to online services. Password-based authentication is easy and familiar for customers, and is initially inexpensive for organizations to deploy at scale. But, while password-based authentication may be appropriate in some instances, it is no longer suitable for the wide range of services where it is currently being used.

With the popularity of services such as social networks including Facebook and Twitter, as well as online shopping and banking, the sensitivity of digital information has increased dramatically. With more sensitivity comes increased risk. Compromised passwords can result in financial loss to customers or significant reputational and monetary damage to organisations, as demonstrated recently by the recent data breaches at Target, Michaels, etc.

At the same time, the strength of authentication based on a single password has steadily declined. New technologies and techniques have made passwords more vulnerable to a wide range of attacks, as evidenced by recent breaches which have exposed millions of customers’ personal information including names, encrypted passwords, and email and physical addresses. These limitations are not going away, and it is time for organisations to re-examine whether password-based authentication is providing the appropriate level of risk mitigation.

Passwords Are a Hacker’s Target of Choice

A study of 30 million passwords, exposed when a music website was hacked, found that almost half the passwords were names, dictionary words or sequential characters – all easily guessable and therefore vulnerable. A recent UK government report found that ‘a majority of internet users (57%) continue to say they use the same passwords for most if not all websites’.

Furthermore, technological developments such as increased processing power and advanced exploit kits allow brute force attacks to execute billions of password guesses per second, making it easier and faster to crack weak passwords. It is no surprise that a 2014 global survey found that weak passwords enabled the initial breach in 31% of the 691 investigations the report analysed.

Complex Passwords = Failure to Deliver

Complex passwords are harder to guess and take more time to crack. A 10-digit password that conforms to good-practice complexity rules takes nearly 1,000 times longer to crack than an eight-digit one. However, the implementation of complex passwords creates usability issues for customers, which negatively impacts the customer experience and increases costs for the organization.

Customers Can’t Cope

Customers are told to carefully select passwords that would be difficult for a hacker to guess, sufficiently complex and different for every service they use. At the same time, they are also told to remember their passwords, and not to write them down or store them on a computer. This is simply not realistic. The number of passwords customers have to manage is constantly climbing. The Norwegian study mentioned above found that on average customers had a minimum of 25 passwords. This number may be too low – a 2014 poll of our ISF Members found that several had over one hundred passwords.

What’s Next?

It is important to determine whether your organisation is carrying an unacceptable risk from using password authentication for online services. If so, you should consider alternatives that will mitigate that risk, while being scalable and cost effective.

Define the Relevant Services and Assess the Risk of Each: Organisations should already have an inventory of the services and information they provide to their customers online. Look at previously conducted risk assessments, or if they’re out of date, conduct new ones.

Decide Which Authentication Factor(s) to Use for Which Services: A username and password may be a perfectly acceptable solution when it matches the risks associated with the service provided. Stronger authentication, from using multiple factors, is more likely to be required for online services that allow customers to perform high-value transactions, such as online trading or banking.

Choose and Identity Provider: Evaluate the identity provider’s capability to match your authentication requirements based on your risk. Also consider whether the identity provider may restrict the authentication solution(s) you are permitted to implement.

Select an Authentication Method: An organisation needs to select an authentication method that matches the authentication factor(s) and the identity provider selected. The chosen method needs to be subject to a risk assessment to ensure that it matches the requirements of the organisation.

Think Alternatively to Lower Your Risk

Organisations need to carefully balance the risks associated with their services against their customers’ experience of using them. Passwords are no longer appropriate as a single factor for authenticating customers to high-risk information or systems, and their unsuitability will only increase as attack technologies and techniques become more advanced.

New initiatives promise to make authentication easier, and organisations have an increasingly wider range of identity providers to choose from. Emerging technologies also show promise. Something you do and risk-based authentication could open the door for continuous authentication to happen in the background. The step-up approach allows organisations to provide additional security for sensitive information and applications, while minimising the impact to the customer experience.

Together, these developments allow organisations to improve security in a manner that is proportionate to their risk.

About the Author
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Read more: DDoS volumes plateau as hackers try new attack vectors: Akamai

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

Feb 3rd, Feb 4th, Feb 6th 2015

Join @NirZuk #PaloAltoNetworks for Breakfast (lunch in Auckland) on keeping your enterprise safe from risk. Cyber attacks continue to increase in volume and sophistication leaving traditional security practices completely ineffective. 

Register Today Seats are limited

March 3rd, March 5th, March 9th 2015

Read more: The Next Generation of Assessing Information Risk

Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersTarget of ChoicebankingISF MemberstwitterUK governmentpassword protectionCSO AustraliaAuthorFacebookEnex TestLab

More about CSOCustomersEnex TestLabFacebookGartnerIT Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Durbin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts