The Infinite Life of Your Password

It is well known that passwords do not offer the best protection for sensitive data. Discover the possible consequences if a hacker cracks your password.

Jul 5, 2023 - 3 min.

Would you share the password to your Amazon account with me? What’s that? Don't you share your passwords? Not even with your partner? Can you think of your Lycos password or your eBay password? A secure password is widely regarded as a guarantee for the security of various online accounts, applications, networks and other services. Yet identity theft is one of the most popular methods cybercriminals use to make a quick buck. And it doesn’t end there. Many users make it easy for hackers to get hold of coveted passwords. However, large-scale cyberattacks designed to obtain vast quantities of access data from companies are not uncommon either. Here too, diverse methods are deployed for this purpose – from attacks via botnets to man-in-the-middle attacks all the way to the use of Trojans. Criminals can then sell the sensitive data they harvest, for example, on the dark web. Alternatively, the data can be used to trigger financial transactions or purchase goods with a ‘fake’ identity. Read on to learn how you can protect yourself against identity theft and why you should NEVER rely on a password.

The password problem 

A password is often a string of associated characters consisting of letters, numbers and, ideally, special characters. It identifies and authenticates a person to a computer, service, application, network or website in conjunction with a user ID. It is also used to prevent access by unauthorised persons. A password should only be known to the user and the system.

However, choosing a password as perhaps the only security measure presents two major problems. First, many users make it too easy for themselves – thereby creating a security problem. According to a study conducted by Aberdeen Strategy & Research in collaboration with Nevis, many users exhibit poor judgment when choosing a password. Despite warnings to the contrary, most passwords often still contain fewer than ten characters and are used across multiple accounts in 52 per cent of cases. To make matters even worse: 13 per cent of users use the same password for all their accounts and applications. The most popular combinations are ‘123456’, ‘password’ and ‘abc123’. Easy-to-crack fantasy words are also popular (32 per cent), as are birthdays or pet names (21 per cent). On the other hand, long and secure combinations are only used in 11 per cent of cases.

The current Nevis Security Barometer reveals that users want the highest degree of data protection. Just five per cent of respondents are careless with their personal data. 

Most users worry about the misuse of their data or the theft of their internet identity and, therefore, their user accounts.

The following scenario illustrates why the use of passwords is not secure. 

When it takes on a second life, a password becomes a threat 

There are many different ways in which cybercriminals can steal your identity or password. In most cases, the attack is conducted in several stages.

Brute force attacks are still very popular among hackers. At almost 20 per cent, they are the third most common attack vector because they are very promising. With 21 per cent of respondents in the Aberdeen study indicating that they use their pet's name, a cybercriminal can proceed as follows. They search your posts on popular social media platforms and find photos of your cat, under which you may have posted something like: ‘Minki turned three today’. The hacker now tries your cat’s name with the date of birth in different accounts. Since 52 per cent of respondents often use the same passwords, this increases the probability that the criminal will hit the jackpot across multiple accounts. 

They then progress to the second stage of the attack, where they can take control of your identity and accounts. This is what’s known as an account takeover.

Once a cybercriminal has taken over your account, they can easily access additional data such as your credit card number or your exact address – but can also complete contracts in your name, order goods or services and much more. Often, this only becomes apparent when funds are debited from your account. If you fail to react quickly enough and raise an objection with the retailer, the fraudster will already have received the goods. Fraudsters can then also change your access data – making it even more difficult to stop the fraud.

Prevention techniques to stop identity theft

The easiest way to prevent identity and password theft is to dispense with passwords. Passwordless authentication is a method of verifying a person’s identity without the user having to remember a password. This approach can also be integrated with secure multi-factor authentication (MFA). For example, a user can authenticate in a system with FIDO-compliant passport keys and a biometric feature such as a fingerprint.

When companies offer their users this option, their customers’ accounts are not only better protected but also provide a seamless user experience. As a result, passwordless authentication is the way forward for data security.

 

Security meets customer experience – the benefits of CIAM