The Cure For Compromised Credentials

Ask the average computer user how to keep safe and secure online, and ‘strong passwords’ is likely to be one of the first principles mentioned.  We’ve all been instructed, at some point or another, to ensure that we use long, complex and various passwords across different online accounts and websites.

It is an easy principle to explain to end users.  The more complex and unusual your password, the harder it is for a cybercriminal to guess or crack it.  Simple, right?  The trouble is, the majority of cyberattacks involving compromised passwords don’t involve guessing or cracking at all – they involve bulk password thefts.

Twitter is just one of many high profile companies to have fallen victim to a login credentials theft, with over 30,000,000 usernames and password pairs allegedly now being sold online.  Little surprise, perhaps, that Verizon’s Data Breach Investigations Report for this year suggests that over half of recent data breaches were due to compromised credentials.

A bulk credentials theft immediately undoes the benefit gained from creating strong passwords, both for the end users and the targeted companies.  In the Twitter case, many of the stolen passwords contained 30 characters or more; they were strong password by most commonly accepted standards.  Yet the minute they were stolen, their strength became irrelevant.  They were already openly in malicious hands.

‘Encryption’ is the classic response to this scenario; if those passwords are encrypted, surely it matters less if they are stolen?  Well, yes and no.  Sophisticated attackers may still be able to decrypt and use the stolen passwords; and, regardless of what actually happens to them, the organization from which they were stolen is still obliged to tell its users what has happened – and brace itself for the reputational damage that ensues.

 One step stronger

So, in a world in which cybercriminals can, and increasingly frequently, do manage to steal passwords en masse, a new type of protection is needed.  Enter two-factor or even multi-factor authentication (MFA).

The basic aim of two-factor authentication or MFA is to add an additional, context-specific verification step beyond the initial password request.  This strengthens the login process not only by making it more complex, but also by making it time-sensitive, so an attacker who does manage to steal the verification information is unable to use it outside of the initial login attempt.

The most common way of introducing this layer is by sending a code, known as a token, to the user’s phone. This, too, adds extra security, because SMS messages are extremely difficult for cybercriminals to intercept; the user will almost always have their phone with them, and the SMS does not touch their email account, which may have already been separately compromised.

Variations of multi-factor authentication include secondary passwords for which only selected characters are requested during each login attempt, and biometric data such as fingerprints and iris scans.  Other organizations choose to send out physical devices to their users, which generate those unique tokens.  However, the code option is not only extremely efficient; it is also easy and cost-effective to implement, making it a suitable option for rolling out to organizations on the same scale as regular username/password verification.

 Protecting credential outside and inside

It is crucial for organizations to remember that the weaknesses of standard username/password credentials apply not just to customer accounts, but also to their employees, business partners and contractors – in fact, anyone that wants to access the organization’s networks or resources. Here, basic username and password pairs are typically used to control access to the corporate network, applications, files and, increasingly, endpoint mobile devices.  MFA can play a critical role here, in improving enterprises’ internal network security, and guarding against theft of sensitive data.

Perhaps it is unsurprising, then, that the market for integrated, secure multifactor authentication solutions is growing fast, as more and more organizations introduce this extra layer of verification for consumers and employees alike.

One useful element for businesses to consider when introducing MFA internally is the ability to assign variable levels of verification according to, for example, the user in question, the services they require, the resources they need to access and even the IP address they are using.  This sort of flexibility is crucial in order to build a truly scalable and agile security posture.

 Bulk thefts of login credentials have taught us that the one-size-fits-all, blanket approach of traditional username and password pairs is broken.  Now, end user security needs to be context-specific, time-sensitive and adaptable to the needs and situation of different users. Two-factor authentication or MFA can truly be the cure for compromised credentials.

About Andreas Åsander
Andreas-AsanderProduct Marketing at Clavister

In this article