Passwords have long been the first line of defence against cyber intruders. They’re one of the oldest software security tools, and they’ve been used offline since ancient times – but the reality is that in today’s environment, relying solely on a password to protect your data just won’t cut it.
Here’s how passwords are being exposed by cybercriminals, and what you can do to protect your data in a world where your magic word has lost its meaning.
The hard word
When it comes to cybersecurity, most people and organisations are only as good as their word – and that’s proving to be a problem. Inadequate password management has become a gift for cybercriminals, with 80 per cent of data breaches now resulting from weak and easy-to-crack passwords.
That’s partly because we keep choosing the same ones. An analysis of over five million leaked passwords revealed that 10 per cent of people are using one of the 25 worst passwords. And we’re not just talking about your old Hotmail account here – high-ranking executives and business owners still struggle with password security, with a recent study revealing that ‘123456’, ‘qwerty’, and yes, ‘password’, all rank among the five most popular passwords for CEOs and C-level executives.
The same study revealed that many high-ranking executives use their own names as passwords, with Tiffany, Charlie, Michael and Jordan among the most popular name-themed passwords.
It’s no surprise that our passwords are so predictable. Passwords are meant to be remembered, after all, which leads us to rely on familiar or significant phrases. But this means that while cybercriminals are becoming increasingly sophisticated, our passwords continue to be limited by the constraints of human memory and sentimentality.
And no, replacing ‘password’ with ‘pa$$w0rd’ won’t fool anyone. Enough people have replaced the same letters in the same words with the same digits and symbols by now that doing so won’t make your password any less hackable.
It’s also human nature to reuse the same passwords across multiple accounts. Again, we’re talking about phrases that you’re supposed to be able to remember. But this becomes more and more of a problem with every increasingly common data leak, as cybercriminals now have access to billions of old passwords.
This has led to a cybercrime tactic called ‘credential stuffing’, in which hackers take usernames and passwords acquired from past breaches and try them out on other accounts. These credential stuffing attacks now make up nine in every 10 login attempts on major retail sites. Essentially, if a cybercriminal can get hold of a single password, it puts every business and personal account using that same password at risk.
And no, replacing ‘password’ with ‘pa$$word’ won’t fool anyone. Enough people have replaced the same letters in the same words with the same digits and symbols by now that doing so won’t make your passwords less hackable.
Of course, even if a user comes up with a truly unique password for each of their accounts, human error can still come into play through phishing scams. This is a type of social engineering scam in which a cybercriminal uses a fraudulent, but convincing, email message or website to trick a user into giving up their password – and if one of these scammers targets your business, it can lead to an incredibly costly data breach.
With all of these attack vectors taking advantage of passwords, it’s clear that additional security measures need to be put in place.
A world without passwords?
Countermeasures to the inherent weaknesses of passwords have included password managers (software applications that store passwords in an encrypted database), and multi-factor authentication, a security measure that requires two or more proofs of identity for a user to be granted access.
Multi-factor authentication usually requires a combination of something the user knows (such as a password), something they have (such as a card or token), or something they are (a biometric method, such as scanning a finger print), so that simply knowing a user’s password alone isn’t enough to gain access to their account.
On 5 May 2022 – World Password Day, no less – we may have come closer to a world without passwords, with Apple, Google and Microsoft joining forces to announce their support for a passwordless sign-in standard across all of the mobile, desktop and browser platforms they control.
The sign-in protocols, called FIDO, work by creating a cryptographic key pair when you create an account. This is a matched pair of keys – a private key and a public key – in which messages are encrypted with one key, and can only be decrypted with the other key.
Under Apple, Google and Microsoft’s plan, your private key would be held on your smartphone, which would become the authentication device that enabled you to unlock your online accounts.
You’d take the same action you take multiple times every day to unlock your phone – whether that’s a PIN, a fingerprint, or a face scan – and you could then use your private key to sign into any participating account on that device (or any other nearby device, via Bluetooth) without entering a password.
So, for instance, you could unlock your Apple device and then use your private key to sign into an account on a Google Chrome browser that’s running on Microsoft Windows.
The announcement has been greeted with some scepticism – predictions about the demise of the password have been circulating for at least a decade, and developers will still have to implement passkeys into their websites and applications before they can think about ditching passwords.
And while the plan would do away with the risks that are inherent to passwords, it opens up other security concerns. By tying all of your personal and business accounts to a private key on your smartphone, a cybercriminal could potentially breach all of your accounts and compromise your company’s security if they are able to access your device with your PIN or a stolen fingerprint. (And of course, it’s much harder to change your fingerprint than it is to change your password.)
But with Apple, Google and Microsoft throwing their collective weight behind the plan, it looks likely to go ahead, even though a specific roadmap has yet to be revealed.
Three keys to rule them all
While the world’s biggest tech companies are now embracing the possibilities of cryptographic keys in place of passwords, Cryptoloc already uses our patented three-key encryption technology to secure our users’ sensitive data.
Encryption is an obfuscation technique that renders stolen data worthless to anyone who gains access to it without authorisation. Essentially, it scrambles data and makes it unreadable for anyone who doesn’t have the right key to unscramble it.
While most encryption solutions use only one algorithm and two keys, Cryptoloc’s unique technology combines three different encryption algorithms into one multilayer process, and requires three different key pairs to decrypt protected data.
This three-key encryption technology has been deployed across a wide range of applications, and can be seamlessly integrated into existing systems, including Microsoft Outlook and Salesforce.
Built for a world without perimeters, it enables data to be stored and shared, without risk of corruption, manipulation or theft, via a shared digital ledger environment that permanently records the history of each individual piece of data.
And yes, it does require a password to access – but in this case, password authentication simply acts as an extra layer of security on top of the user’s private key, rather than acting as an access-all-areas pass in its own right.
As a result of our unique approach, no Cryptoloc product has ever been breached – and in an environment where breaches are becoming costlier and more common, that’s the level of protection it takes to protect your data.
Unless, of course, you want to take your chances with ‘P@33w0rd’. No chance the cybercriminals will see through that one…