An in-depth discussion on the pervasive issues with passwords and the road to passwordless authentication. The session features host and Mobile Mentor Founder, Denis O’Shea, Yubico Solutions Engineer, Shakeel Aziz, Microsoft Cloud Endpoint Technical Specialist, Nick Cordova, and Mobile Mentor Digital Identity Lead, Demetrius Cooper.
During the conversation, the group discusses the downfalls of password management tools, passwords existing as a primary attack vector, and methods of preventing new hacking attempts.
Read below for a synopsis of this conversation on password vulnerabilities.
What are the problems that manifest in the world today as a result of poor password management?
Shakeel Aziz: You know, passwords were originally designed to be used as authentication methods to log into single devices, single Web servers on the Internet, and single machines. But as we’ve seen, the inflation of devices just explode over the last ten years alone, with digital transformation becoming a big swing in momentum, in guiding organizations moving infrastructure from on-premises into clouds, we’ve seen an explosion of services as well. Whether they’re consumer or commercial, we’ve seen an explosion of identities. So, we now have millions and millions of identities that are essentially available online.
If you think about passwords and the problem with scale is that they simply don’t scale well. We can’t expect your average user or human being to be able to memorize or recall every password they entered into, every service that they use.
We essentially have password hygiene becoming a major issue where users are reusing passwords or making them incredibly predictable. And, these are predictable behaviors in a lot of this was driven by password policies. For instance, you have to rotate your password every 90 days, etc. It has to be complex and use special characters. Well, a lot of that guidance is no longer serving us. I think it’s actually driving poor password hygiene.
Even the National Institute of Standards and Technologies has dropped certain provisions around the control of passwords and policies. the National Institute of Standards or Technologies has dropped certain provisions around the control of passwords or policies. I think they’re no longer mandating rotation, just because it leads to poor hygiene and more predictable types of passwords.
What we’ve seen then is the obvious password. The password is a primary attack vector. And initially, we saw this with attacks such as credential stuffing where you can purchase a password list from the dark web and then just try to access particular services with those usernames and passwords. And if you get a match here, you’re in the account. Another technique has been password spray. You have a list of passwords and you’re just essentially going to hit large numbers of accounts on a particular platform and service.
The passwords that are being attempted are the most commonly used. So hackers have lists of these passwords and they would just they essentially just spray a particular platform. Even if you get 10% of those accounts, you’re able to take over, and that’s still a pretty good run rate.
What we’ve seen now is organizations moving towards multi-factor authentication. Multifactor authentication is extremely good at preventing, credential stuffing attacks, password reuse, breach, replay, as well as password spray attacks because once bad actors hit that two-factor verification, they just leave it and move on to the next account.
Multifactor authentication has done a really good job at stifling breaches, so things like password spray. We have seen the evolution to what’s called phishing 2.0. Which evolved to circumvent multifactor authentication.
In the past, you would get an email that maybe had really poor grammar and spelling with a link to click on. You would have a page that would pop up that would look like the authentic service that you were trying to access. To the untrained eye, the user would provide their credentials. And that’s a phishing attack. Give your username. Give a password, password and then the attacker would gain your credentials in that manner. Where we are now is where we’re dealing with the aspect of phishing, which is social engineering. That is the biggest threat that we’re facing at the moment.
Denis O’Shea: To add a data point just to support one of you the things mentioned is that I recently saw a list of the prices that the market is paying for specific exploits. The cost right now for a set of a thousand compromised credentials is $0.97. Less than a dollar buys you a thousand matching pairs. So, it just shows how commoditized that market is and how many sets of credentials are out there in the wild.
What are you seeing happening with businesses to address password vulnerabilities?
Demetrius Cooper: I see a lot of customers hearing that this is a foundational issue and they don’t know where to start. They’ll hear things like LastPass or any other password provider is the solution that they should work with. But in the past ten years, there have been at least five major password managers compromised. So, the convenience is there and the end users are driving what technologies are put in place. But the authority of the security teams and the risks of organizations should be prioritized.
More recently a password manager with about 25 million customers was compromised. Fortunately for that password manager, it was done in their development environment. But as a result of that password manager being compromised, there’s a loss of trust that can never be regained.
Now that puts the focus on password providers to secure their infrastructure and also figure out a solution for end users to move away from those passwords. That the focus is on groups like us, Yubico, and Microsoft, to now provide Passwordless solutions for our end users. Because we simply cannot trust the legacy password management tools.
From a Microsoft perspective, what is happening in the world of Passwords?
Nick Cordova: Out here, we work with multiple customers all across the world, all different types of organizations in different industries. It’s become more and more common that aren’t taking passwordless very seriously.
For example, only about 26% of admins have MFA enabled. You hear all sorts of these kinds of wild statistics on doing the little things right with passwords.
So we need to just keep helping our customers as partners with each other move towards the passwordless journey. We recently talked a little bit about a couple of the most recent breaches, and there’s been a few more since we spoke last.
I want to touch on the Twilio attack. This was so interesting because of the downstream effect that it had on other organizations. And it started out with SMS phishing messages that were portrayed to be IT users. They were able to convince some employees to enter the credentials into a spoofed Web address which compromised their accounts. What they went on to do with those accounts or with that access was terrible.
In contrast, I know there was that an attack campaign went out to over 130 organizations and some were able to curb the attack with, passwordless mechanisms, then having the right security and security in place.
Shakeel Aziz: Twilio is a great example of what we’re seeing in the wild today with attacks on other organizations orchestrated in a similar fashion. What really strikes me is that the attacks themselves are not highly sophisticated. We hear in the media that the attacks are extremely sophisticated, but when you really dig through the details, you realize that they’re actually being carried out by bad actors that are not very highly sophisticated in terms of their technical ability.
That highlights the problem in even greater detail that these types of attacks can be carried out by threat actors, with relatively little technical knowledge in comparison, to what we perceive.
Nick Cordova: Another breach we recently witnessed was the Uber attack. And this started with credentials, the compromised username, and the password that had been brought in from the Internet. From there that allows the attacker to then do what they wish. What happened in this case, was an MFA of push spam notification. That’s where the attacker is just going to repeatedly send those notifications for MFA until an employee eventually gets sick of seeing it and goes ahead and accepts it. In this case, the employee was contacted via social engineering and WhatsApp and said if you want these MFA notifications to stop, just go ahead and hit accept. The user’s account was then compromised. The attacker added his own device as an MFA device and then from there went and caused havoc within that access. That’s a very common thing right now.
That’s why Microsoft has started to roll out some new features, such as number matching and geographic location. Some of those features are in preview right now with Azure AD that can be enabled for organizations and will hopefully attempt to curb some of those MFA push notification attacks. But this problem will always exist with passwords in place.
Denis O’Shea: I heard a really interesting data point this week. 1% of users will accept an unprompted MFA request. So if they just get a request out of the blue, one and 100 will click Accept not knowing who’s trying to log into their account, they just give it away.
So if we sum things up, essentially we’ve learned that we’re not we’re human beings, we’re not walking databases. We cannot remember up to 200 passwords, especially not passwords that are strong and unique, have alphanumeric characters, and all that. We can’t trust password management tools because they’re under attack themselves. The MFA channel can also be compromised. And that puts us in a situation where we really desperately, urgently need to go passwordless.