Recognizing Pi Day as a Reminder to Avoid Irrational Password Management

Until we safely arrive to the future day when passwords are unbreakable and private accounts remain as much until expressed consent to access is given to others by the account holder, usernames and passwords will continue to hold a prominent place in building cyber security maturity. Because passwords currently hold a prominent position in maintaining account security and are susceptible to attacks, it is worthwhile to discuss how users must behave to maintain password hygiene and overall account and identity integrity.

With it being Pi Day today, the focus will be on rational and irrational password management behaviors, the latter of which is defined as “not logical or reasonable” (while also a description of 'Pi'?as a number). And while Pi is not an acronym for password irrationality, it could be.

Setting the table for this presentation are case studies and related statistics demonstrating the gravity of maintaining proper password hygiene.

The Landscape

?Statistics and reports vary on the following, but per data conveyed by Dashlane , a reputable password manager service, approximately 80% of data breaches in 2023 perpetrated by external threat actors were directly connected to “weak, stolen, or reused passwords”. This data corresponds almost directly to the oft-cited data that somewhere between 80% and 95% of all breaches originate with human error. These crimes have accumulated costs and losses of approximately $12.5 billion in 2023, per the Federal Bureau of Investigation (FBI) , demonstrating a significant problem in need of a strong solution.

An unfortunate conclusion of these data are users either too frequently act irrationally or are overwhelmed and taken advantage of by threat actors through phishing or social engineering attacks. And once some malicious access is gained, it seems there is no end to what can happen next. Data breaches against 23andMe, Norton, and Freecycle serve as case studies of both what can happen with poorly guarded or ineffective password hygiene and how easily millions of legitimate username/password sets can be stolen.

What happens to all the usernames/passwords following a breach? These data are often packaged, encrypted, and sold (sometimes back to the victim via a ransom), allowing threat actors to financially gain or act as the user, possibly even making changes to passwords making it more difficult for the actual user to re-access the account or mitigate any damage. Additionally, more sophisticated threat actors are essentially able to force web users to brute force websites while browsing with a maliciously embedded password thieving software.

According to a report from the Federal Trade Commission , “As many as 9 million Americans have their identities stolen each year” as a result of largely what are irrational security practices. The unfortunate reality of the current threat landscape is that access to small amounts of data (i.e., username and password sets) can quickly snowball into capturing more sensitive personal data (i.e., SSNs) that can effectively derail an individual’s life while they restore order from challenges related to identity theft.

Awareness of whether your data has been exposed through a breach is rational behavior within this current landscape. To determine if your user account information, which could include passwords, have been exposed in a data breach or are available on the dark web, haveibeenpwned is a helpful resource.

Irrational Practices

So, what are some irrational practices that are contributing to incredibly high levels of username and password theft?

The first and most common is the continued usage of weak passwords. With AI aided software, threat actors are able to crack most simple passwords in a matter of seconds.

Another is that most account holders favor single factor authentication—usually just one of the aforementioned, simple, weak passwords—that offers no meaningful protection. Multi-factor authentication is the current, rational response.

A third is the continued use of unsupported software that exacerbates the vulnerabilities already inherent in any digital product. Being unsupported means no updates or provider services are exist for the software.

All three of these behaviors are simple and habitual and must be addressed, given the knowledge currently available about the risks inherent in password mismanagement. Fortunately, the future landscape is working to address these challenges, as well as wide scale adoption of this technology.

Considering Alternatives to Passwords

The username and password pairing has become ubiquitous almost to the point of creating an inextricable link between the two that alternatives are not generally considered. There are moves, though, toward a “passwordless” future focused on a similar but different technology: passkeys. The FIDO Alliance (Fast Identity Online), a self-described “open industry association with a focused mission: reduce the world’s reliance on passwords” through the use of a token or device, likely a mobile phone, and perhaps a universal PIN.

What makes the passkey a unique improvement to a password is that without the device, no access will be granted, meaning it will be far more difficult for a threat actor to steal your information and enter your account. Beyond that, passwords would no longer be needed or stored because the device is the key. Phishing attacks and more general data breaches will be greatly limited given the lack of transferability: the device must be stolen along with a fingerprint or PIN to open the device. As Alex Weinert , director of identity security for 微软 put it , “There’s no password attacks when there’s no password present”.

For an excellent overview of passkeys, check out this feature from Smashing Magazine . The ability to outsource passcode strength, creation, and memorization should, in time, prevail, which should significantly limit the ability to behave irrationally.

Improve your passwords today

As the large scale migration to passkeys has not yet commenced, it remains imperative to eradicate irrational password practices to the extent possible. The first is to create strong passwords, which is generally accepted to contain a minimum of 12 randomly generated characters with at least one each of lowercase and uppercase letter, number, and symbol. If a password does not currently meet these criteria, the recommendation is to reset them using this basic principle. To test the strength of a password, passwordmonster is a solid resource.

Taking these small considerations will go a long way in lessening your cyber risk, which is the rational next step.

In the United States, Zurich Resilience Solutions managed security services are provided by SpearTip, LLC.

Copyright ? 2024 SpearTip, LLC