Password reuse allows fraudsters to use credentials stolen on one website to take over accounts on other sites.
It’s World Password Day again, the day created to herald the guardians of our corporate secrets, personal correspondence, medical information, purchasing information and, of course, our money.
The scary fact is this: As guardians of our identity, passwords aren’t doing a very good job. As a matter of fact, according to the most recent edition of the Verizon Data Breach Investigations Report, 81 percent of the breaches involved stolen or weak passwords. Why aren’t passwords protecting our accounts the way they should?
Good passwords are hard to create and easy to forget
On the IT side, password issues are the number-two problem faced by help desks, second only to, “My printer won’t print.” And, for businesses as a whole, password issues are a major source of friction, especially for retail transactions. A recent UK study indicates that strict password rules can lead to a checkout abandonment rate of 18.75%—almost one in five buyers. For users, the picture is just as bad. According to an Intel study, the average individual has 27 passwords. The same study reported that 37% of us forget at least one password per week, not that we need statistics to confirm that remembering passwords is difficult.
And this difficulty leads to one of the most common—and dangerous—password practices around: password reuse. Almost half of us use the same password on multiple accounts. This means that, more often than not, the theft of one password will compromise multiple accounts.
Passwords are not going away any time soon
If passwords are so much trouble and lead to so much risk, why do they still play such a dominant role in security? The answer is, at least for now, that no better alternative exists.
Multi-factor authentication (MFA) is often put forth as a solution to the shortcomings of passwords, but MFA itself has problems. To begin with, it adds friction to every transaction. Biometric authentication reduces friction, but woe to those whose biometric credentials are compromised: You can’t change your fingerprints or your iris image. You can’t change your mother’s maiden name, either, which is why challenge questions aren’t a perfect solution; their answers can also be stolen. Token-based MFA, meanwhile, is inconvenient, especially when the token is a physical object that can be forgotten, lost or stolen.
Undiscovered stolen passwords are a big problem
High-profile breaches at companies like Equifax, Anthem, and Yahoo have put the problem of stolen passwords in the headlines. In response, companies have set up password defenses—but they tend to do so only after discovering a breach.The window of time between breach and discovery can be weeks, even months—and it’s during this window that companies and their consumers face the most risk.
The greatest window of risk is the period of time between the date of the breach and the date of its discovery.
During this period, neither users nor the breached organizations (retail chains, banks, etc.) are aware that there’s a problem. Cybercrime organizations have free reign to pilfer the vulnerable account—and they do. Then, when they’re finished extracting as much value as they can, they post the stolen passwords on the dark web, where other criminals can buy and use them on as many sites as they can. The monetization of stolen passwords, carried out at scale via the use of automated attacks such as credential stuffing, costs more than $10 billion in fraud losses annually.
Protecting customers from themselves
Living in the password economy comes with certain responsibilities. Among them, we must prevent fraudsters from using stolen credentials on any web site as soon as they’re stolen. Shape Security’s Blackfish technology does just that.
Here’s how it works. Shape Security protects more than 1.4 billion user accounts at some of the world’s largest brands from automated attacks. We know immediately when a password at one of these sites has been compromised. Blackfish, in turn, can immediately alert companies when a stolen password is used on their web or mobile applications. Then companies can take action such as a forced password reset, a step-up authentication flow, or placement on a watch list.
Say goodbye to World Password Day?
By lowering the success rate of automated attacks, Blackfish actually changes the economics of these forms of cybercrime. When success rates drop, so do the profits of the organizations perpetrating them. They may be forced to shut down operations—or at least look to cause trouble elsewhere.
Maybe one day we can say goodbye to World Password Day.