The biggest cybersecurity news of 2021, of course, is that it’s the 60th anniversary of the computer password’s invention, right? Sure, a major U.S. oil pipeline got hacked, and the hybrid workforce is redefining enterprise security. Yet, these are clearly small potatoes compared to this enormous milestone for the password.
OK, maybe you didn’t know the password turned 60 this year. You probably wouldn’t offend anyone if you didn’t care, either. After all, most of us have a complex relationship with passwords.
On the one hand, we depend on them to secure most of the digital technology we use. On the other hand, 80% of cyber-attacks are directed at passwords. Passwords are necessary yet highly susceptible to compromise, and recently, technology firms have even discussed doing away with them altogether.
But our relationship with passwords wasn’t always like this.
A Brief History of Passwords and Cracking Them
The year was 1961, and Massachusetts Institute of Technology (MIT) computer scientist Fernando Corbató had a problem on his hands. How could he protect private files on MIT’s Compatible Time-Sharing System (CTSS) while professionals shared use of the early operating system? What was to stop one CTSS user from stealing a different user’s private files?
“Putting a password on for each individual user as a lock seemed like a very straightforward solution,” Corbató told Wired magazine in 2012. Thus, a hallmark of computing was born.
These days, passwords are ubiquitous – a cybersecurity firm estimated in 2017 that over 300 billion passwords would be in use by 2020. But following its invention, the password saw limited use for the next 30 years. That changed with the rise of the world wide web in the 1990s, which generated large amounts of sensitive information that required password protection.
It was around the 1990s, too, that brute-force attacks became a popular method of cracking encryption. A brute-force attack is just what it sounds like: repeatedly guessing different keys/ciphers to a secured account until the correct answer is guessed. Brute-force attacks proved to be just as useful for cybercrime as they are for cryptography – a 2016 brute-force attack on Chinese eCommerce platform TaoBao compromised about 20.6 million accounts on the platform.
Brute-force attacks are successful partly because people are terrible at picking sound passwords – 23.2 million cyber-attack victims worldwide used ‘123456’ as a password. People also reuse their weak passwords on many different services, and schemes like credential stuffing and password spraying attacks have developed from traditional brute-force attacks to take advantage of the public’s careless password habits.
Manipulating the System
At some point, hackers realized a fundamental truth about most people: they’re easily manipulated. This simple idea gave rise to a more subversive kind of cyber-attack: social engineering. These schemes manipulate people – not machines – into divulging confidential information, such as their passwords.
Social engineering schemes come in multiple forms. For example, in 2020, hackers posing as Twitter IT support professionals tricked Twitter employees into logging into a fake IT site and used their stolen credentials to access Twitter’s internal systems. A different social engineering scheme saw hackers infiltrating a Slack channel at EA in June 2021 and manipulating an IT support professional into giving them a multi-factor authentication token to access EA’s corporate network.
While bad actors still use brute-force attacks, cyber-attacks such as social engineering, credential stuffing and password spraying are more enticing hacking schemes for three reasons.
First, these schemes prey on human vulnerabilities rather than a machine’s. The EA hackers told the EA support professional that they’d lost their phone at a party – without any secondary authentication measures in place, why shouldn’t the support professional have believed them?
Second, they’re efficient – attackers can send out lots of social engineering attacks at once. For example, the Taobao brute force attack lasted from mid-October to November 2016, but the EA hack took a few hours. Likewise, a password spraying attack can use a shortlist of the 100 most common 10-character passwords and wait for a hit.
Lastly, social engineering schemes easily bypass traditional defenses. If an attack doesn’t involve a malicious payload like ransomware, legacy technology will often struggle to identify it. As effective as most cybersecurity software is, it can’t detect a well-told lie.
The Debate That Won’t Abate
With about one million passwords getting stolen every week, it’s little wonder that companies – and users – are looking for alternatives. In fact, in a recent Specops survey of nearly 100 customers, almost 75% reported that they’re ready for the passwordless future.
After claiming over the past few years that the future would be passwordless, Microsoft announced the debut of passwordless sign-in for Microsoft accounts on September 15. Users can log into Microsoft apps and services using Microsoft Authenticator, Windows Hello, a verification code sent to one’s phone or email or a security key.
Other technology companies have also explored alternatives to passwords. Apple has incorporated facial and fingerprint identification into its iPhones. Google has allowed users of Pixel devices and Android 7+ devices to verify their identity with their fingerprint or screen lock instead of a password when accessing certain Google services.
Biometrics and MFA are certainly poised to innovate the cybersecurity sector. Does their use mean that the password’s death is imminent? Hardly.
As these authentication methods achieve more widespread adoption, cyber-attacks will adapt and evolve to efficiently steal this information. With MFA, cyber-attacks are likely to target weak second-factor authentication such as mobile codes and secret questions. As biometric technology grows more sophisticated, hackers have already started developing methods to compromise fingerprint, facial or retinal data. A facial recognition software company underwent a data breach in 2020, proving that the databases that store this critical data are vulnerable.
How would someone access secured services if their biometric data or MFA data got compromised? What if they simply lost their mobile device that was tied to MFA? Chances are, they would need to use a password as a backup means of authentication.
Predicting the Future
The transition from password-based authentication to passwordless authentication won’t be an overnight one. Too many networks, devices, systems and people currently rely on passwords for the technology to quickly vanish, and the more likely scenario is that something you know (passwords) and something you are (biometrics) will be the standard for the foreseeable future. 60 years from now, passwords will probably be different – but so will the rest of the technology world. In the meantime, passwords aren’t going away anytime soon.
So, put on your party hat, and let’s raise a toast to passwords. They aren’t perfect. We struggle to remember a lot of them. But they’ve dutifully guarded our accounts for the last 60 years, and they deserve some gratitude for it.
Happy 60th anniversary, passwords. Cheers!
Darren James Product Specialist, Specops Software