Compromised Credentials: Continued relevance for the next half century?

Compromised credentials are the bane of IT leader’s existence. They continue to cause havoc, as headlines and leaders clearly expect. In short, compromised credentials create a number of problems for almost every organization in existence, no matter where they are in the world. According to a recent survey, 65 percent of respondents said they believed their organization would experience a security breach at some point. The culprit appears to be one of the oldest issues out there – compromised credentials.

Passwords date back to MIT in the 1960s. They were designed to control timesharing in its computer lab. Students there quickly realized that they could find ways around them, to gain more time to access the system so they could use it for research in an unlimited fashion. Their use has evolved, of course. They’ve become more complex, their responsibilities have grown and they are relied upon for much more. They are much more than a time tracker tool. Now going around passwords is for nefarious purposes.

Finally, though, it seems that now, more than 50 years later, were beginning to figure out some methods to resolve this issue once and for all. There are many security projects going on today that are the latest iteration, with biometrics seemingly leading the way. One of these methods is the adoption of fingerprint scanners on smartphones. This technology is becoming ubiquitous and can be done on mobile devices, with a PIN code failover. It stands to reason that this technology will be more readily adopted via fingerprint scanners embedded in keyboards and laptops, if the cost and availability were more reasonable.

Other technologies include facial recognition with Windows 10, and additional technology in development by Amazon. While Windows “Hello” requires a special camera that is just now starting to become prevalent in the marketplace, Amazon’s technology will utilize a standard webcam will likely require an iteration of photos where the user changes facial expressions (smile, blink, etc.) to verify them more securely.

Another technology that holds tremendous premise is biometric technology that evaluates the way a user interacts with their keyboard, mouse and smartphone. This method is called keystroke dynamics, and is part of behavioral biometrics. The technology can be utilized not only as a pass/fail threshold test when a user logs in, but can also constantly assess the user’s pattern while utilizing the computer or smartphone.

Behavioral biometrics can potentially alleviate two concerns. This method becomes a second factor of authentication upon login, but can also force a re-validation should something change during the work day. Let’s say a user gets up from their desk for a quick break but fails to lock the screen, another individual can easily walk up to the machine and access their sensitive data. The keystroke biometrics application detects the change in user based on how they are interacting with the computer and immediately ask the person to re-enter their credentials. Another, a third, factor can also be added as part of this revalidation process and require the entry of a PIN that has been delivered via SMS or a smartphone application.

Other options for securing the network from compromised credentials also are available and are even less intrusive to end users. These methods, though, are best utilized in combination with another technology other than passwords. These technologies involve restrictions on who can access the network and from where, and can be useful in mitigating risk from the outside hacker, but do little to prevent an insider from wreaking havoc. Time of day restrictions are one step – limiting when someone can access their machine based on their normal usage patterns. Another step is IP limiting – only allowing usage to sensitive applications and data if the IP origin is within a specific range. Geo-fencing is another option and restricts users based on location range of either the main office or their home for example.

Regardless if one or many of the technologies are ultimately adopted, organizations must move in the direction of securing user credentials beyond the simple user name and password. If not, security breaches because of compromised credentials will continue to occur and this topic will remain very relevant for another 50 years.

Dean Wiech is managing director of Tools4ever, a provider of access and identity governance solutions.

Join the CSO newsletter!

Error: Please check your email address.

Tags Windowsbiometricsinformation leakedIT Securitypassword protectioncyber securitySecurity projects

More about MIT

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Dean Wiech

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts