With the emergence of cloud-based technologies, there is a growing demand and the consequent increase in services offered in this format. In this scenario, in which there were only two or three credentials to perform online tasks, today, the user is forced to deal with so many that they can barely remember them.
In addition to having to remember complex passwords, users also need to keep in mind that many systems have a reduced number of access attempts. Thus, if one enters the wrong password, they will eventually have little chance of entering the right one before the access is blocked. So, the best thing to do is to use words that are easily typed and memorized. Recent research by the UK’s National Cyber Security Centre (NCSC) reported that for the fifth consecutive year, “123456” is the most commonly used number sequence by users for passwords. The word “password” is another recurring top choice in this list of commonly used passwords, also because it is easier to memorize and type, even if it does not guarantee security.
The question is: Considering these passwords as insecure and easy to guess, why do people continue to use them? Users are expected to memorize their passwords and enter them correctly on the first try. However, the complexity required in password policies used by services and companies makes creating a strong and usable password difficult for both ordinary and advanced users. We invite you to keep reading today’s article and discover how the password reset process is essential for Privileged Access Management and consequently for a better cybersecurity posture. The Problem of Managing and Maintaining Strong Passwords The combination of user and password has been used as a basic defense mechanism for computer systems since the beginning of their implementation, preventing unauthorized access to data stored on systems and devices. Despite the creation of authentication mechanisms without a password, such as biometrics or one-time passwords (OTP), the combination of user and password is still widely used to access systems and devices. This is because such a combination is easy and inexpensive to implement. In a digital transformation scenario, the multiplication of systems, devices, and their respective credentials is a perfect scenario for malicious attackers to collect passwords and, thus, access data improperly.
After all, remembering a password is much easier than the dozens (or even hundreds) of services that require some kind of authentication. It is estimated that the number of passwords per user is between 70 and 100.
Email accounts (personal and professional), banking services, corporate systems, devices, and applications are some examples that require authentication through passwords. And with the increase in the number of data leaks, it is easy to find compromised credentials on forums on the dark web being sold for pennies.
And yes, we know that it is not easy to manage so many passwords. Even the most tech-savvy can struggle to manage and protect credentials in so many different environments. In times of personal data protection legislation, such as LGPD and GDPR, ensuring the protection of such data has become more than a security requirement – it is a business must.
Despite all the risks associated with their use, many users and companies use passwords that are easy to guess, such as numbers or sequential letters (123456 or abcdef). SolarWinds itself, the victim of a serious attack on its supply chain, was using the password solarwinds123 in its infrastructure.
The Main Attacks Involving Access Passwords
It is essential to understand the types of attacks that passwords can suffer in order to be able to create a robust password policy. Some of these attacks and vulnerabilities involve:
Dictionary Attacks. A list (dictionary) made up of words and combinations is used to compare captured hashes with the list items and thus try to find the password. It is still possible to use the list to access accounts through brute force attacks.
Credential Stuffing: Leaked credentials used when attempting to access other accounts, succeeding when the user reuses the same credentials (username and password) on more than one account.
Replacement: Authentication by the attacker is successfully performed by replacing a password or username already known by the attacker through some leak.
Password Recovery: When the password recovery process has flaws, the attacker can impersonate the victim and gain access to the password or even change the current password to one of their own. This can happen, for example, when the user uses the easily guessable question-and-answer feature in the password recovery process.
Social Engineering: The use of social techniques to mislead the user and illegally obtain access to credentials or use the same techniques to install password-stealing software.
Keylogging: A malware that, when installed on the system, can copy all information that is being entered by the user, including their passwords.
Bad Hashes: Attacks that can be used to recover passwords, especially if the hashing algorithm has known flaws, such as MD5.
The password policies can be combined with software and tools to further protect systems and devices. Some of these tools include Password Managers; or for organizations that want to protect their assets, Privileged Access Management (PAM) solutions.
Password Managers and PAM Solutions Password managers and PAM solutions are tools and software that can generate secure passwords and automatically authenticate the system, eliminating the users’ task of remembering and entering passwords for different accounts.
It is worth remembering, however, the importance of protecting and never losing access to these tools: once the access credential is compromised, all accounts connected to the user may be lost. And it is also worth keeping these passwords up to date because if a vulnerability is exploited, all stored passwords will be exposed.
If there is a suspicion that the password policy or passwords themselves are compromised, the recommendation is for the company to move quickly to mitigate the problem causing the compromise and require all users to change the password.
Finally, there must be a consensus to protect users from creating bad passwords and generating difficult password creation patterns. Raise awareness and allow people to recognize that their passwords are insecure so that they can choose strong and secure passwords for both work and personal access. The senhasegura Solution Passwords are one of the oldest security mechanisms in the computing world and are also one of the main attack vectors by cybercriminals. In this way, we can avoid cyberattacks that can cause considerable damage not only to people but also to companies.
A more secure approach to the use of passwords is one where they can only be used once. Single-use passwords protect users from theft of credentials. Unlike static ones, which are not changed, using passwords only once makes systems resilient to attacks.
Once inserted in senhasegura, the passwords are managed by the solution. This means that, at any time, the solution can make a change in the password. These changes can occur in the following ways:
Determined by the company’s password policies (automatic). Based on the company’s password policies, registered in the system, the solution automatically and periodically changes the keys, facilitating the work of its information security team.
Determined by password exposure (automatic). When a user is allowed to see a password held by the solution, they can use it for a specified period in the system. When this time is over, the system will immediately change the password, so that the credential custody returns to storage.
Requested by an admin user. A user with administrator rights in the system may at any time schedule a password change for some or all devices registered in the solution.