Auth & identity
September 8, 2022
Data breaches have been in the headlines for several years, representing a rational fear for many organizations. A data breach is when someone — typically a hacker — gains unauthorized access to sensitive or confidential information. Hackers may do this for numerous reasons, including damaging the organization or its reputation, selling the retrieved data, or making a social or political statement.
Most data breaches seek personally identifiable information (PII), such as Social Security numbers or other official identity information, bank or credit card details, and passwords that they can use to either monetize the attack directly or indirectly by compromising adjacent financial accounts that rely on those stolen credentials.
Additionally, there are two significant aspects that most breaches share:
In this post, we’ll examine how easily compromised passwords can lead to data breaches, go over some common password vulnerabilities, and ultimately review some best practices to keep your passwords and other sensitive data as secure as possible.
Compromised passwords are a top contributor to many recent large-scale breaches. This is unsurprising, as a password is often all it takes to authenticate into a system, application, or data store. Once a user authenticates successfully, there is little recourse.
That’s not to discount recent cybersecurity advancements that seek to improve how we protect electronic data. Traditional data center security includes some key security architecture, including network connectivity firewalls, virtual private network (VPN) connections, and encrypted tunnels for remote access. However, weak user authentication renders these measures all but useless.
As such, password-based authentication methodologies become a prime target for hackers.
So, how often do passwords become compromised? In brief, all the time. Below are just a few of the more well-known breaches whose common thread is a known password:
The above examples represent only a few of the more well-known security breaches, but there are countless undetected or unreported security incidents for each known occurrence.
There are many ways that bad actors can steal passwords. Moreover, they often use multiple strategies simultaneously.
Brute force is the technique by which an attacker uses a “guessing” approach to determine a password for a system or user account. Cybercriminals often use robust scanning or password-cracking tools that enable looping through many possible password combinations. These tools address the common tendency to include birthdays, family members’ names, and pets’ names in created passwords.
The more a hacker can find out about their target, the greater the amount of helpful information there is to attempt to gain access. Consider the security questions you must answer when setting up a new account. Usually, answering these questions can help prove your identity to reset a lost or forgotten password. Most questions relate to your likes or hobbies (favorite car brands, travel destinations, visited cities) and family or pet names.
The “silly” games we play on social media are a way to obtain such data. Even games that don’t directly ask for this type of information understand what types of prompts will most efficiently garner responses.
In addition to falling victim to social media schemes, people tend to reuse passwords in multiple apps and accounts. This means that if one site’s credentials leak, malicious actors can use the same credentials to access several accounts belonging to each individual.
Password theft is an umbrella term that takes many forms, including some of the previously mentioned scenarios. Complex passwords are more secure but challenging to remember but saving them in a sticky note or plain text file opens the possibility of password theft.
Another common type of password theft occurs through spam and junk phishing emails, which involves deceiving users into clicking a link that leads to a phony but often realistic-looking version of a legitimate website. The fake website is typically just a form to capture the user’s credentials when they believe they are logging in to the site or resetting their passwords.
Fortunately, there are plenty of ways to reduce the risks associated with compromised passwords.
In an ideal scenario, the password characters that a user enters are hashed and stored in a back-end identity database. Hashing encrypts a password into a string with a method that is extremely difficult to reverse engineer. The more complex the hashing mechanism (SHA, bcrypt), the harder it will be to break the code.
While this method is relatively secure, the encryption key used to hash passwords is static. This creates a vulnerability wherein deciphering the encryption key enables an attacker to decrypt any stored password. That’s where salting is useful. This process involves adding a series of randomly chosen characters to the password before hashing. This optimizes the security for the given credentials, as the hash will never be the same.
Moreover, it’s crucial to ensure you disable or delete inactive accounts. Leftover credentials are vulnerable targets for disgruntled employees or those with whom they may overshare. These unused accounts include employees who’ve left the organization but may also extend to those on temporary leave.
Additionally, integrating up-to-date security controls, such as validating security group memberships and ascribing to the principle of least privilege (PoLP), can significantly limit unauthorized access.
Multi-factor authentication (MFA) dramatically improves the integrity of password-only logins. Whereas traditional authentication combines a username and password, MFA relies on an additional method to prove your identity. The desired combination includes factors based on:
When you connect to an application (using a browser or a mobile app), using a powerful authentication solution typically follows this flow:
When a user’s account is stolen, it’s often the victim of a bot-powered credential stuffing attack. CAPTCHA challenges can be used to help combat bot traffic and attacks.
CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. Most people are familiar with the simple nature of these tests, but they pose a problem for most bots to solve.
In recent years, however, bots have become more adept at beating CAPTCHA tests in order to validate credentials and compromise accounts. Bots’ ability to consistently trick CAPTCHA stems from a key design flaw in the architecture –– the public key problem. Every major CAPTCHA system exposes its public key, making it easy for bots to scrape and submit the public key to one of these ‘CAPTCHA-solving-as-a-service’ companies.
Stytch has developed a CAPTCHA solution that removes the public site key from the equation, leaving users with the exact same experience, but making it impossible for bots to scrape and mass attack your application. Visit our Strong CAPTCHA product page or talk to an auth expert to learn more about how Stytch can help you stop bots on your application.
Stytch recently launched a completely rebooted Passwords solution that innovates from the ground up to uplevel security and user experience and protect against data breach.
Stytch’s Passwords solution also introduces novel security features like breach detection (powered by tools like HaveIBeenPwned) and a better strength assessment called zxcvbn (aka “lower qwerty”), which makes it easy for humans to generate passwords but hard for robots to crack them. We’re committed to making secure authentication that’s as frictionless as possible, so we leverage our Email Magic Link technology to reduce the steps from a traditional password reset.
Stytch also salts and hashes all passwords using Scrypt, before storing in an encrypted database that we manage. We wanted to ensure our Passwords solution is secure and built for performance — we decided on Scrypt in order to strike that balance.
Stytch offers a variety of solutions to ensure that password-dependent credentials are optimally secure. However, the ideal strategy for reining in password-related breaches is to remove passwords from the equation. Stytch’s passwordless approach is the ultimate weapon against compromised passwords, ensuring that your confidential information stays that way.
Stytch’s modular solution suite means that you can construct a passwordless approach best tailored to your product and your industry. For example, industries with stringent privacy standards such as Fintech and healthcare often benefit the most from enforcing OTPs as the primary mode of authentication and biometric validation or TOTP authenticator apps as the second factor.
The OTP provides security to the users, validating their identity by sending a message to their phone or email. This creates flexibility for the device type using the app. Biometrics, as the second factor, can be viewed as an additional layer of security, where the mobile app can only be opened and used from a given device.
For B2B saas applications like Slack and Microsoft Teams, it is often best to use a low-friction approach like Email Magic Links or OAuth. The email-based scenario provides an easy, low-friction authentication method, often used for full-desktop applications. Adding OAuth-based capabilities can also allow for single sign-on (SSO) integration with corporate credentials.
Data breaches pose a tremendous risk for any organization, with compromised passwords proving to be a prevalent issue. Luckily, numerous scenarios are available to help optimize the security of your application or system and the integrity of your users’ account credentials. But ultimately, the best way to prevent password theft is to go passwordless. No master hacker can steal what isn’t there.
If you’re interested in learning more about how Stytch can help you maximize your password security or transition to a passwordless approach, discover our full suite of authentication products at Stytch.com.
Sign up or talk to an auth expert to learn how you can improve conversion, retention, and security with Stytch.