Sam had to create a password for a critical business application; he made sure he chose a complex password that had numbers, alphabets of both upper case and lower case, and special characters. However, a few days later, Sam discovered his account was breached! His first thought? “I set the most complex, hard-to-guess password, how did the cyber attackers manage to hack it?”
This is the reality today. Cybercriminals are constantly upgrading their attacking methods and can hack even the most complex passwords with ease. So, even if one manages to create a long, complex password, attackers will leverage the shortcomings of complex passwords.
Limitations of Complex Passwords
- Hard to remember: You may conform to password complexity rules and create passwords in tune with statistics such as a 12-character password that takes 2 centuries to get hacked. However, is it humanly possible to remember such a long password for multiple digital identities? It sure is a daunting task to remember the complex passwords of each account- a weakness that an attacker takes advantage of. By the time you recall your password, chances are, the hacker has already made it to your account.
- Saving your passwords: So, you think- okay, I’d rather note down my passwords, and since we are in the digital age, you may choose to save your complex passwords on an Excel sheet or web browser than noting it down on a piece of paper. But this isn’t a safe practice either. According to an article, a malware named “cookiemini” can steal passwords saved on Chrome.
- Resetting password: Passwords should be reset frequently- a security protocol that cybersecurity professionals swear by. However, when you reset a complex password, you need to make sure that the new password you set should comply with password complexity rules and be as complex as your previous password, if not more, which brings you back to square one- recalling complex passwords and opting for saving/storing them.
Say you overcome the limitations mentioned above and are able to manage your complex passwords efficiently; the attackers will use complex attacking methods to crack your complex passwords.
Try a complex Password, and the hackers will try
- Social Engineering: If there is anything cyber attackers are successful at, it is exploiting human psychology. They lurk the user into clicking on a link, downloading a “trending” business application or software, accepting pen drives/CDs as a promotional gift, all of which are infected with the virus. Once the virus enters the system, the most complex passwords may get decoded and exposed.
- Keylogging attack: If you are to create a unique password, the way you type your password, too, is unique. So, the attacker infects your system with a virus, possibly through phishing or tricking you into downloading a malicious application, and the virus keeps a tab on how you type; the virus records the keystrokes of the user and deciphers the password eventually. Also, 80% of all keyloggers are not detectable by antivirus software or firewalls.
- Rainbow table attack: The name sure is pretty, but the after-effects of this attack aren’t. Essentially, all the passwords are hashed; if your password is 1234556 (a plain text), after hashing, it is converted into an unreadable text- something like- #0!$@0#$`!!. Password hashing is what keeps credentials safe and hard to decipher. So, the attacker uses a rainbow table – a set of pre-computed hash values that match the plain texts; once matched, the attackers have some password combinations in hand and will eventually end up on the right one.
- Malware: Infecting critical systems with malware- malicious software that can steal your passwords is an attacking technique that cyber criminals have used since times immemorial. Even as of today, malware remains one of the main causes of credential theft and data breach. With the ubiquity of free software, we go on a downloading spree; as a result, we may end up installing the malware in our system. According to research by Kaspersky, 2019 has seen a 60% increase in malicious software that wants to steal your passwords.
Therefore, the attackers are not going to stop trying and will figure a way out to break into the system they have their eye on; as far as there is a password (even a complex one), they have hopes of successful hacking. So, what would be a good alternative?
Choosing Better Authentication Methods
Try and stop cyberattacks at the source. You might want to trade the taxing task of creating, remembering, and resetting complex passwords for better, faster, and secure authentication methods that don’t involve passwords.
- 2FA: Two-Factor Authentication (2FA) is an immensely popular authentication method. According to Verizon’s data breach report, 80% of data breaches could be eliminated by the use of 2FA. This is how 2FA works- two independent credentials are validated before granting access to any application or system. For instance, an employee may opt for security questions (one factor) and OTP (second factor) to validate his/her identity. 2FA creates security barriers that now become twice as hard for an attacker to break into.
- Biometrics: thanks to the ever-growing technology, biometric authentication has found its niche in the digital world. According to IBM’s Future of Identity Study, biometrics are becoming mainstream as 67% of the respondents said they are comfortable using biometrics, and 87% will be comfortable with the technology in the near future. The user’s unique attributes such as fingerprint, face, voice, eye retina, etc. are recorded on the biometric system, and these attributes become their password, which almost is impossible to hack or steal.
- WebAuthn: for all those who use web-applications, this is possibly the best way to authenticate yourselves on the web. FIDO Alliance and W3C (world-wide consortium) approved WebAuthn as a standard for passwordless login. You may choose to safely access your web applications, with security keys, biometrics, or Trusted Platform Modules (TPM). All the major web browsers around the world today support WebAuthn.
Finally, the idea of having passwords was to create a security barrier between digital identities and the cyber attackers- an idea that worked very well during the formative years of the web. However, with evolving technologies, and speedy digitization, a password, can now be a gateway to massive cybercrimes rather than a security measure.
So, if you believe that you don’t have to explore other authentication methods because your password is long and complex, you might want to think again!