Its 2018, and we are still discussing passwords!!!
So, I was going through my LinkedIn posts today, when I came across a link a contact had posted showing the top 25 most commonly used passwords of 2016.
Seriously? Does anyone use these passwords or the results of this survey are simply fabricated? Actually, these passwords did not come from a survey (who in their right minds would actually give out their passwords in a survey, eh!), but rather, they were the result of an analysis of the passwords compromised as a result of a breach on many enterprise systems in 2016.
You'd be surprised that whilst there are a plethora of controls to reduce the susceptibility of companies to password theft, such as password hashing, database salting, various forms of encryption etc... they are hardly ever in place. As such, a compromise of their system often leads to the username / credentials of their customers, staff, employees etc... leaked. Unfortunately, the hacker community are actually much better at collaborating than the cyber professionals themselves, and so are very quick to share the details of any such leaks, including the leaked data itself, online.
And so, back to the matter, it is very easy to actually download a copy of leaked user credentials online, and conduct an analysis of the data within it to determine the most commonly used and weakest credentials.
As a cyber professional, I have had the pleasure of playing around with password crackers such as 'L0phtCrack' and 'John the Ripper' and know fully well that apart from their ability to brute force a large combination of characters in a short space of time, they simply start the task by running through these commonly used passwords, resulting in a significant reduction in the time it takes to crack a system.
What baffles me though is that the password problem has actually been solved. For many years too!!! Multi-factor authentication. It is simply a way of layering multiple forms of authentication to form a strong mechanism to verify yourself to a system. If one system is compromised, the other system stands.
Most popular web services such as Google, Yahoo, Outlook, Facebook etc.. all support multi-factor authentication, but for some strange reasons, the uptake has been low.
Right next to the LinkedIn post was another article recently published by google suggesting that less than 10% of their users had enabled multi-factor authentication (MFA). This is accredited to many different factors such as lack of awareness of its existence, lack of an understanding of how it works, a perception it makes authentication more difficult etc...
Sounds like there is a lot to be done by us as cyber professionals in spreading the message about the need for users to embrace more modern and sophisticated authentication mechanisms such as MFA. In fact, MFA is constantly evolving to ensure a better authentication process for the user, without reducing the overall security posture. Over the last couple of years, we have seen newer authentication services branded under enterprise marketing buzz words such as 'step-up authentication', 'context-aware authentication', 'two-step authentication', 'dynamic authentication', 'token-push authentication' etc... I will not go into the various definitions of each of these technologies today, but they are all meant to ensure a better user experience for users whilst enhancing the security of the underlying security.
Whilst my cyber security colleagues like to think of passwords as a dinosaur: a prehistoric legacy system which has had its day in the sun, and should now be a thing of the past, I like to think of it more as a cockroach. One with more than 9 lives and will survive the proverbial nuclear holocaust. It is not going anywhere soon. Many systems, both legacy and new systems, will continue to support it for a long time to come.
So, our work as cyber professionals is extremely important. We have to keep spreading the word. Encourage your users to adopt MFA wherever possible. Where not possible, encourage them to use good and strong passwords (what 'good / strong' is, is a topic for another day), whilst embracing good password behaviours - don't write it up on a post-it and stick it on your computer.
Remember, if you dog is called Molly, there is a good chance I will try multiple variations of this if I am trying to hack your account!!!.