September 23, 2020

The Cost of Passwords

The story of the password starts in 1961, when Dr. Fernando Corbató utilized unique codes to secure file access on a large computer system known as the MIT Compatible Time-Sharing System. A year later, in 1962, the first mass breach occurred when then-PhD student Allan Scherr printed out all the system passwords in order to augment his computer time. Within months of its inception, the password mechanism was already revealing its weaknesses. 

If an attacker can dump the password database, then all passwords are rendered ineffective. If users utilize the same password across multiple accounts (and they certainly do), one breach can result in a total compromise of all their credentials, security, and private resources. Social security numbers, addresses, emails, tax documents, sensitive workplace materials, and bank account information-- all of these are pieces of information that are only one bad break away from falling into ill intentioned hands. 

What is the problem today?

Over the years, password attack methods ranging from brute force to phishing have evolved and are responsible for 81% of the breaches, according to the Verizon Data Breach Investigations Report. The FBI Internet Crime Complaint Center estimated that the sheer mass of password-related complaints they received in 2019 cost organizations $2.1 billion USD. In 2020, we expect these costs to continue to increase—27 billion credentials have already been stolen since the beginning of this year, notes Security Magazine.

There are further additional costs associated with undeclared breaches. Sources estimate that around 70% of the insider attacks go unreported, resulting in the average cost of an insider breach being approximately $600,000 USD per incident.

This data is especially relevant for organizations that rely on 3rd party services-- services that may not inform their clients that confidential information has been stolen. These organizations are left unaware that they’ve effectively been breached and are now vulnerable. 

An HDI survey reported that 30% of the support calls in the enterprise are tied to password issues or password resets. Using conservative figures, a 10,000-employee organization can easily spend $100,000 USD/year simply on password management issues. On the other end, attackers can access databases containing millions of stolen credentials for a fraction of this value, with databases being sold for prices as low as $100 USD.

There is also the hidden cost of loss of productivity: Support calls. Support calls to reset passwords take between 5 to 30 minutes to complete; employees are unable to engage in their work; customer satisfaction decreases and leads to an increase in the abandonment rate. TalkDesk reports that on average, 12% of the customers abandon their activity before they are connected to a support agent, directly impacting Net Promoter Score and business growth.

What are typical attacks against passwords?

Attacks vary in technical complexity and cost, from password spray attacks that can be easily automated to business email compromise using a combination of social engineering and malware to perpetrate fraud. Some of the most popular attacks are:

  •       Credential stuffing: The attacker loads a database of compromised credentials and replays them against the target system in the hopes that one of the credentials in the database matches a legitimate user.
  •       Password spraying: The attacker replays a list of commonly used passwords in the hope that one of them is being used by a legitimate user. It is estimated that 16% of the password attacks are performed using password spraying, states SentinelOne
  •       Brute force attacks: The attacker obtains an encrypted blob that contains credentials of interest (such as the SAM database) then it can use a computer rig to crack through the database until the passwords are revealed.
  •       Shoulder surfing: Attackers steal personal information or confidential information by peering over the target's shoulders. By its nature, it’s mostly used by insider threat actors.
  •       Copying Passwords: The attacker copies improperly stored passwords from physical media such as Post-its and password books.
  •       Phishing: The attacker impersonates a trusted contact and encourages users to click on links that are then used to ex-filtrate passwords using an exploit kit. 

OR

The attacker encourages the user to download a document that contains malware, which is then used to ex-filtrate the credentials. See this very comprehensive example here. Both methods of phishing are responsible for 70% of the attacks against passwords, as stated in the  Verizon Data Breach Investigations Report.

  •       Application vulnerabilities: The attacker detects and exploits lags in system and application patches, injecting  malware to ex-filtrate the credentials.
  •       Bribe: The attacker pays an insider to either obtain credentials on their behalf or perform malicious actions that allow the attacker to bypass corporate security.
  •       Negligence: This is a type of insider threat that isn’t willfully malicious. System misconfiguration or unprotected storage and credentials uploaded to code repositories are just some examples of negligence. 
  •       Extortion: The attacker has the possession of, or pretends to have, the possession of materials of a compromising nature, such as explicit photos, and uses that as leverage to obtain access to further information and/or obtain valid credentials.

How to protect your organization?

The best defense is to eliminate the password altogether. By using a passwordless, continuous authentication technology that replaces passwords with intelligent multi-factor solutions, you will prevent attackers from using any of the attacks described above. This approach allows the detection of unwanted behavior to distinguish legitimate users from threat actors and detects anomalies while insider threats are developing. Consider Acceptto’s cutting-edge It’sMe product, which embodies this passwordless principle and more.

Want to know more?

Contact us at  https://www.acceptto.com/passwordless/ to get more info.

passwords Passwordless