Password Are Biggest Security Hole Created or Exist Today, Will Password less SSO is need for consumer based apps & websites?

By the end of the year 2019 that witnessed significant cyber security breaches, we are convinced that passwords are still the Achilles heel of the security, driving tarnished brands, monetary loss and customer misery around the world. This year, we saw the major incidents declared by the businesses including MyFitnessPal, a nutrition app, which affected more than 150 million users, and Ticketmaster (UK), which it announced affected less than 5 percent of their global customers in the hundreds of millions. Similar incidents were also reported by the Typeform, an online survey company and PageUp, a recruitment platform. Recently, Reddit also confirmed a breach after their employee accounts were hacked by cybercriminals using the passwords send by SMS as a part of the business’s 2-factor authentication framework. These increasing number of incidents show that passwords are the biggest security hold created or exit today. But, what is the solution? This article shall answer.

Passwords as Security Threat

In view of the power acquired after knowing someone’s password, it is not surprising that many people, ranging from so-called “friends” to professional criminals, attempt to find them out. Precautionary measures against password hack or loss are most impactful when users and systems cooperate. System designers must beware of making the passwords’ control so inconvenient that users look for the simpler ways around them. Users’ acceptance of inconvenience will differ based, among other factors, on the business structure and the way they see the significance of the information and services being shielded. The selection of measures should hence take these factors into consideration.

It seems to be a GDPR-breach era. The GDPR decrees “a high level of defense of personal data” and that measures should be there “to stop abuse or illegal access or transmission” of this data. In this background, it’s obvious that the static passwords are no longer the fit-for-purpose. In a corporate setting, they give attackers a golden opportunity to pass unobstructed through the cyber front door, en-routing to highly complex IP and customer data.

Here, it is not only the data at stake. By leaking those all-important/confidential passwords, the hackers may launch “cyber-physical” spells targeting the critical infrastructure of the state. The model has been set here: in late 2015 and 2016, hundreds of thousands of Ukrainians went deprived of power after high level attacks on the country’s energy providers.

Looking under the Business Hood

A lot of reports and studies have warned businesses repeatedly that passwords are no longer sufficient to avoid cybercriminals. The 2017 Verizon Data Breach Report revealed that around 81% of hacking driven breaches occur through exploitation of weak or illegally accessed passwords. Yet, as has troublingly become common today, a lot of us are still relying on this insecure and outdated way of authentication. Users aren’t the only guilty party; it’s businesses too.

Research lately led by Intercede revealed that 86% of systems administrators in key enterprises – those individuals holding the keys to a business’s kingdom – are using mere basic password authentication to shield data. What’s more, around 17% of respondents confessed that they were using ‘basic/simple passwords.’ If individuals who are responsible to manage ‘access all areas’ in the business’ IT infrastructure are not reliable to lead by example and protect their own accounts well, then how can the employees in that organization be expected to do the same? Furthermore, how can customers trust such businesses to keep their sensitive information or personal data safe?

The Better Way for cybersecurity

The fact that passwords hacking is the most significant factor behind cybersecurity breaches, businesses are heading towards the password-free future, This is important as whenever telegram or WhatsApp gets hacked, only negligible number of users get hacked and not everyone, unlike the email-based or password-based system. analyzed FIDO2  and found that it is not user friendly. We suggest that all the services like Facebook, Google, Twitter etc. should deploy some other method or allow password less SSO for consumer websites. That would be the first step towards a password-less future. And it is mandatory, since passwords are the biggest security hole crated or exit today.