In-brief: Password management is already a big challenge for consumers and businesses. That problem is poised to get much (much) worse, as the population of The Internet of Things explodes, a new survey finds.
Back in the early 2000s, technology providers like Microsoft and Sun Microsystems (now a part of Oracle) were fervently promoting the idea of single-sign on. With a bit of an assist from software, the thinking went, users could all of their various passwords for different applications, websites and Internet accounts into one. That way, organizations could mitigate confusion and security (not to mention support) issues linked to password theft and loss.
Fast forward 15 years later, and it’s clear the idea didn’t fly quite the way they expected. Just the opposite. A recent survey by the Pew Center found that 8 in 10 Americans simply memorize or write down their passwords, while a substantial minority (39%) solve the password complexity problem by reusing the same (or a very similar) password across accounts.
But there’s ample evidence that the days of memorizing passwords is coming to a close, with a new report estimating that there will be 300 billion passwords at risk of theft by 2020, driven by explosive growth on the Internet of Things. The trove of hackable passwords will pose a massive security risk for companies and users, security experts warn.
According to the report—a collaboration between Thycotic and Cybersecurity Ventures–more than 3 billion user credentials and passwords were stolen in 2016, with 8.2 million passwords being stolen every day—that’s about 95 passwords stolen every second, for those doing the math. Thycotic is a Washington-based provider of privileged account management solutions.
Moreover, the companies concluded that there is the potential for up to $6 trillion in cybercrime damages by 2021 due to the risk posed by the billions of passwords that will be online by then.
Companies polled in the survey said that the main culprit for this explosive password growth is the Internet of Things (IoT). A blip on the radar in the early Millenial period, the Internet of Things is a fast expanding morass of security risk, connecting myriad devices requiring credentials and passwords to the Internet and one another, Joseph Carson, head of global strategic alliances at Thycotic, told The Security Ledger.
“Unfortunately, many of these new devices do not provide sufficient security, and most devices come with a hardcoded or default password that most fail to change,” he said. “While the IoT has introduced many new capabilities, it has failed to provide security and privacy by design. Security has been sacrificed for ease of use.”
Stories that document easily guessed or ‘hard coded’ passwords for accessing Internet of Things devices like cameras, digital video recorders, broadband modems and even connected medical devices are common. The security firm Trustwave this week called attention to a password bypass flaw that affects more than 30 models of broadband routers made by the firm Netgear. The flaw, which would enable an attacker to retrieve the administrator password from a Netgear router, may affect hundreds of thousands of devices globally, Trustwave’s SpiderLabs reported.
Other factors contributing to the password boom are new accounts being created for applications and social networks, all of which also need new credentials and passwords to protect them from unauthorized access, Carson added.
There are a number of security risks companies and users face when passwords are stolen. Recent research found that stolen passwords are used in most data breaches, allowing hackers access to sensitive and proprietary company information. Stealing passwords also can lead to identity theft, giving bad actors access to information that can be used for their own financial gain at a great cost to the victims.
Indeed, passwords often are the most vulnerable credentials targeted by hackers because they are easy to crack with software that automates the process of guessing passwords by exploring countless combinations in very short periods of time, the companies said in the report.
The human tendency for short memories and sheer laziness also inspires people to create the same password for numerous online and device accounts, leading to so-called “security fatigue” and making even more assets vulnerable by essentially giving hackers the “keys to the kingdom,” the companies said.
“When the average user has more than five passwords, they start reusing the same password across multiple accounts, which increases the risk [because] when one account has been compromised, it means all the accounts are exposed and vulnerable to unauthorized access,” Carson said. “We also need to address clearly what the best practices are for creating and managing passwords. And when you need to remember more than five, then you need to get a solution to protect and manage them.”
With the foresight of knowing password numbers will grow by such an order of magnitude, the question now is what can be done to mitigate risks and protect passwords from theft and other threats. The good news is there is much, Carson said, but the problem is that companies historically have been slow to implement appropriate security codes to protect passwords.
“Ensuring that the passwords are not being stored on public-facing websites is something that should be a major priority, and the authentication and access process should ensure that encryption is used end to end, and that the password is stored in an encrypted format,” he said. “This at least makes it more difficult for an attacker to get access to the password, and if it is a good, encrypted password, it still means the value is less unless they can decrypt the password.”
Carson suggested some steps that companies can take to better protect all the passwords that will be coming online in the next years. The first basic one is to implement an IT policy for passwords that includes classification, access, auditing, controls, and sharing and password creation, among other security interests, he said. Using a password vault or privileged-account vault to protect and secure passwords also will make it much more difficult for attackers to elevate privileges, Carson added.