Why Are You Still Using Passwords When They’ve Already Been hacked?

Donovan Blaylock II
April 29, 2019

Get the latest from the SecureAuth Blog

It is beyond imagination to understand that we are still having discussions about passwords and their implicit vulnerabilities in 2019. With over 2 billion identified as having passwords stolen out of the 4.2 billion people globally with access to the internet, it boggles the mind that people still use simple passwords like “password” and expect to be secure.

10 Most Hacked Passwords

The National Cyber Security Centre (NCSC) in the U.K., working in conjunction with Troy Hunt, an Australian cybersecurity expert who created Pwned Passwords API, to analyze millions of breached accounts worldwide to determine the most common hacked passwords.

It is hard to believe that people still rely on grotesquely simple passwords that consistently are identified as the most hacked, but after sifting through the top 100,000 hacked passwords, the NCSC pointed to these 10 as the most hacked in a 2019 report:

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 111111
  6. 12345678
  7. abc123
  8. 1234567
  9. password1
  10. 12345

The bottom-line is that if you are too lazy to come up with something somewhat creative like concatenating three random words, you probably deserve to be hacked and have your data stolen, damaged or held for ransom.

A Band-Aid On Gangrene

For decades software vendors believed that just forcing regular password changes would solve the problem. But, given the sheer number of stolen passwords globally, it is clear that this is just a futile attempt to stop a tidal wave of harm. 

This isn’t localized to small companies or isolated incidents; real issues pervade even in companies with household names. According to the NY Post article “Facebook Inc said on Wednesday it may have “unintentionally uploaded” email contacts of 1.5 million new users since May 2016, in what seems to be the latest privacy-related issue faced by the social media company.”

Now industry leaders in software development are finally acknowledging the futility of previous actions to protect passwords and application access. A recent article titled “Microsoft knows password-expiration policies are useless” reported:

“Microsoft admitted today that password-expiration policies are a pointless security measure. Such requirements are “an ancient and obsolete mitigation of very low value,” the company wrote in a blog post on draft security baseline settings for Windows 10 v1903 and Windows Server v1903. Microsoft isn’t doing away with its password-expiration policies across the board, but the blog post makes the company’s stance clear: expiring passwords does little good.

As the blog post explains, if a password is never stolen, there’s no need to expire it. And if a password is suspected to be stolen, you would want to act immediately, not wait until the expiration date. Forced updates also lead to more users writing their passwords down or forgetting them altogether. Plus, as Microsoft puts it, “if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.”

As the password problem gets more and more negative publicity, it is clear that previous approaches to solve this issue are tantamount to trying to cure gangrene with a simple band-aid. What is needed now is a fresh approach that eliminates passwords but also provides continuous protection with immutable authentication.

Biobehavioral Authentication Instead Of Passwords

Give the definition of futility is doing the same thing and expecting a different result, it is time for you to stop the failed password strategy and move on to a new password-less solution of continuous authentication. Acceptto’s eGuardian engine continuously creates, and monitors user behavior profiles based on the user interaction with the It’sMe authenticator. Every time an activity occurs, actionable intelligence is gathered and used to optimize the user profile. eGuardian is capable of autonomously and continually learning new policies and adapting existing ones. While policies can still be manually defined and contribute to the computation, our Biobehavioral AIML approach automatically finds the optimal policy for each transaction. eGuardian leverages a mixture of AI & ML, expert systems and SMEs to classify, detect, and model behavior, and assign real-time risk scores to continuously validate your identity prior to, during and post-authentication.

Check out what Acceptto can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy registering for a free demo today.




Related Stories

Pin It on Pinterest

Share This