Passwords were used in the Roman Military by sentries as a method of access control to restricted areas, challenge-response phrases were used by the American 101st Airborne Division in World War II by presenting a challenge "flash" with the desired response being "thunder".
In 1961 Fernando CorbatΓ³, an MIT Professor, first implemented the password in a computer system called Compatible Time-Sharing System (CTSS) which was an operating system used by researchers. In the 1970s Robert Morris first implemented the passwords hashing mechanism as part of the UNIX operating system.
In the mid-1990s when the internet started taking off, passwords became an integral part of our day-to-day, online life. Despite global efforts that include the largest tech giants (e.g., FIDO Alliance), passwords are still the most common method of online access control.
The good
Although extremely outdated, passwords have one significant advantage – they can be used almost from any device, assuming a physical or virtual keyboard is present. Technologies such as one-time passwords, tokens or fingerprint provide a much better user experience, but they still require the device to be present for the verification to take place.
Another important upside of passwords is preserving user privacy, since passwords are not considered Personal Identifiable Information (PII) they can be stored in the cloud or on-prem, assuming proper security measures are taken such as hashing and salting.
Assuming we are the type of people that "look at the full half of glass", password sharing can be considered a good thing in some cases, for example if you need to grant your spouse access to your email or bank account. Although in general, it is best to grant access in such cases beforehand using proper authorization mechanisms, that grant multiple users access to a single account or resource.
The bad
Where should we begin? Generally speaking, passwords are a lose-lose situation both for the enterprise as well as for the end users. This includes but is not limited to poor security, poor user experience and a high operating and maintenance cost.
Security wise, passwords suffer from a multitude of attack vectors that in most cases, can be mitigated by sticking to security best practices and proper employee training.
Data leakage: There are many different reasons why hackers gain access to restricted data - from unpatched vulnerabilities in the OS, to misconfigured cloud instances. Eventually someone bad will get to our data so we need to make sure we follow security best practices. With passwords this usually means hashing, since passwords should never be stored as plain text. But hashing alone is not enough, as it opens up the hashed passwords to a "rainbow-table" attack, that basically uses a precomputed table for reversing hashes. Therefore, hashing should always be done using a "salting" mechanism, by adding a random piece of text to the password and only then hashing it. By doing so, it will significantly increase the effort required to crafting an attack at scale, when exploiting the hashed passwords that were harvested.
Phishing websites: An extremely common attack vector, typically done by sending a link and redirecting the user to a "fake" website, that in most cases looks identical to the naked eye. The unsuspecting user inputs their credentials and poof… Their username and password are suddenly for sale on the dark web, for a dime-a-dozen. There a many elaborate and highly sophisticated tools to handle these attacks, from automatically taking down these websites to tools based on computer-vision that distinguish between a real and fake website. But in many cases, nothing beats the good old employee training and guidance, which are an integral part of the anti-phishing arsenal. Now you might say something like, "But hey, I got 2FA, I'm safe!". Well guess again, especially if you're using SMS OTPs. More on that on the next chapters.
Weak and re-used passwords: Some websites go to such great lengths with the password complexity requirements, that it can take several minutes just to come up with a password, let alone memorize it without writing it down. Eventually we are humans and we were not programmed to memorize random letters, which is why most users use easy to memorize passwords and also re-use them across accounts. Now, I feel pretty comfortable with Google safeguarding my password using proper salting etc., (should I?) But what about that questionable eCommerce website I signed up to, using the same password? It just so happens that they did not properly configure their cloud's security settings and forgot to "spice" up their passwords. You get the picture. In other cases, people use easy to remember passwords, the three most common passwords are: “qwerty”, “password” and “111111”. This opens them up to dictionary attacks, which is essentially a database containing a predetermined set of commonly used passwords.
So, what can you? Don't re-use passwords, require your users to generate complex passwords and don't forget to turn on 2FA!
Setting aside security, passwords also fall short in user-experience and can lead to lost business and transaction abandonment by frustrated users that are required to manage numerous accounts. Eventually these users will have to go through the tedious "account recovery" process that is also extremely insecure. As the cherry on top, add the high operating costs of managing and resetting passwords - a Forrester research estimates that the average cost of a single password reset done by help desk is about $70, while Gartner estimates that 20% to 50% of all help desk calls are for password resets.
The ugly
A recent phishing campaign targeting Apple, redirected users to a phony website that mimics Apple's account management platform, in an attempt to harvest credentials. Another recent phishing campaign is targeting the UK, in an attempt to execute mass credential harvesting.
In 2012, reports stated that 6.46 million hashed passwords of LinkedIn accounts leaked online, and you guessed it, they were "unsalted".
Another notable data leakage was 7 million compromised Minecraft accounts, that were also "unsalted". Before you start thinking, "What's the worst thing that can happen with hijacked Minecraft accounts?", consider the fact that some of these passwords may have been re-used in additional accounts.
To sum it up, according to the Verizon Data Breach Investigations Report, 81% of breaches are related to weak or compromised passwords.
How can Verifyoo help you?
Verifyoo's DrawID solution "eats the cake and keeps it whole" by keeping the main benefit of passwords without the weaknesses – enabling users to safely verify themselves from any device, without memorizing passwords. Aside from providing organizations and consumers a much more secure method of verification, Verifyoo also reduces the friction caused by forgotten passwords. Password friction not only leads to massive transaction abandonment by frustrated users, but also incurs high operating costs of resetting these passwords using frequent help-desk calls, knowledge-based questions and other means that have proven to be inefficient and insecure.
Read the next article in the series here: https://verifyoo.blogspot.com/2020/02/one-time-passwords.html
For more information visit: https://www.verifyoo.com
To schedule a demo: https://www.verifyoo.com/Verifyoo/#contact-section
Another important upside of passwords is preserving user privacy, since passwords are not considered Personal Identifiable Information (PII) they can be stored in the cloud or on-prem, assuming proper security measures are taken such as hashing and salting.
Assuming we are the type of people that "look at the full half of glass", password sharing can be considered a good thing in some cases, for example if you need to grant your spouse access to your email or bank account. Although in general, it is best to grant access in such cases beforehand using proper authorization mechanisms, that grant multiple users access to a single account or resource.
The bad
Where should we begin? Generally speaking, passwords are a lose-lose situation both for the enterprise as well as for the end users. This includes but is not limited to poor security, poor user experience and a high operating and maintenance cost.
Security wise, passwords suffer from a multitude of attack vectors that in most cases, can be mitigated by sticking to security best practices and proper employee training.
Data leakage: There are many different reasons why hackers gain access to restricted data - from unpatched vulnerabilities in the OS, to misconfigured cloud instances. Eventually someone bad will get to our data so we need to make sure we follow security best practices. With passwords this usually means hashing, since passwords should never be stored as plain text. But hashing alone is not enough, as it opens up the hashed passwords to a "rainbow-table" attack, that basically uses a precomputed table for reversing hashes. Therefore, hashing should always be done using a "salting" mechanism, by adding a random piece of text to the password and only then hashing it. By doing so, it will significantly increase the effort required to crafting an attack at scale, when exploiting the hashed passwords that were harvested.
Phishing websites: An extremely common attack vector, typically done by sending a link and redirecting the user to a "fake" website, that in most cases looks identical to the naked eye. The unsuspecting user inputs their credentials and poof… Their username and password are suddenly for sale on the dark web, for a dime-a-dozen. There a many elaborate and highly sophisticated tools to handle these attacks, from automatically taking down these websites to tools based on computer-vision that distinguish between a real and fake website. But in many cases, nothing beats the good old employee training and guidance, which are an integral part of the anti-phishing arsenal. Now you might say something like, "But hey, I got 2FA, I'm safe!". Well guess again, especially if you're using SMS OTPs. More on that on the next chapters.
Weak and re-used passwords: Some websites go to such great lengths with the password complexity requirements, that it can take several minutes just to come up with a password, let alone memorize it without writing it down. Eventually we are humans and we were not programmed to memorize random letters, which is why most users use easy to memorize passwords and also re-use them across accounts. Now, I feel pretty comfortable with Google safeguarding my password using proper salting etc., (should I?) But what about that questionable eCommerce website I signed up to, using the same password? It just so happens that they did not properly configure their cloud's security settings and forgot to "spice" up their passwords. You get the picture. In other cases, people use easy to remember passwords, the three most common passwords are: “qwerty”, “password” and “111111”. This opens them up to dictionary attacks, which is essentially a database containing a predetermined set of commonly used passwords.
So, what can you? Don't re-use passwords, require your users to generate complex passwords and don't forget to turn on 2FA!
Setting aside security, passwords also fall short in user-experience and can lead to lost business and transaction abandonment by frustrated users that are required to manage numerous accounts. Eventually these users will have to go through the tedious "account recovery" process that is also extremely insecure. As the cherry on top, add the high operating costs of managing and resetting passwords - a Forrester research estimates that the average cost of a single password reset done by help desk is about $70, while Gartner estimates that 20% to 50% of all help desk calls are for password resets.
The ugly
A recent phishing campaign targeting Apple, redirected users to a phony website that mimics Apple's account management platform, in an attempt to harvest credentials. Another recent phishing campaign is targeting the UK, in an attempt to execute mass credential harvesting.
In 2012, reports stated that 6.46 million hashed passwords of LinkedIn accounts leaked online, and you guessed it, they were "unsalted".
Another notable data leakage was 7 million compromised Minecraft accounts, that were also "unsalted". Before you start thinking, "What's the worst thing that can happen with hijacked Minecraft accounts?", consider the fact that some of these passwords may have been re-used in additional accounts.
To sum it up, according to the Verizon Data Breach Investigations Report, 81% of breaches are related to weak or compromised passwords.
How can Verifyoo help you?
Verifyoo's DrawID solution "eats the cake and keeps it whole" by keeping the main benefit of passwords without the weaknesses – enabling users to safely verify themselves from any device, without memorizing passwords. Aside from providing organizations and consumers a much more secure method of verification, Verifyoo also reduces the friction caused by forgotten passwords. Password friction not only leads to massive transaction abandonment by frustrated users, but also incurs high operating costs of resetting these passwords using frequent help-desk calls, knowledge-based questions and other means that have proven to be inefficient and insecure.
Read the next article in the series here: https://verifyoo.blogspot.com/2020/02/one-time-passwords.html
For more information visit: https://www.verifyoo.com
To schedule a demo: https://www.verifyoo.com/Verifyoo/#contact-section
God bless Dr. Omolowa for his marvelous work in my life, I was diagnosed of HERPES since 2018 and I was taking my medications, I wasn't satisfied i needed to get the HERPES out of my system, I searched out some possible cure for HERPES i saw a comment about Dr. Omolowa, how he cured HERPES,DIABETES,HIV,and CANCER with his herbal medicine, I contacted him and he guided me. I asked for solutions, he started the remedy for my health, he sent me the medicine I took the medicine as prescribed by him and 14 days later i was cured from HERPES, Dr. Omolowa truly you are great, do you need his help also? Why don’t you contact him through his EMAIL: dr.omolowa@gmail.com call or whatsApp him on +2347014035034
ReplyDeleteHi Friends i am so glad to writing this article today to tell the world how Dr voodoo cured my HSV VIRUS,i have been detected with HSV-1 AND HSV-2 since five years ago, ever since then my life has been in complete bizarre and agony,i have used so many drugs that was prescribed to me by several doctors,but it didn't cure my HSV VIRUS neither did it reduce the pain,until a certain i was checking for solution in the internet,then miraculously came across Dr voodoo the powerful herbalist that cure numerous individuals HSV-1 AND HSV-2 INFECTION,then i contacted his whatsApp number at +2348140120719 or email: voodoospelltemple66@gmail.com i explained everything to him and prepared a cure that cure my HSV-1 AND HSV-2 disease totally after receiving his herbal medicine, so my friends viewers why wait and be suffer when there is someone like Dr voodoo that can cure any disease HIV/ CANCER/ HEPATITIS B VIRUS, you can contact his via : voodoospelltemple66@gmail.com or WHATSAPP +2348140120719
Delete
DeleteAm jeremiah, I am testifying about a great hebal man that cured my wife of hepatitis B and liver cirhosis. his name is Dr oniha. My wife was diagnose of hepatities two years ago, i almost spent all i had then, until i saw dr oniha recommendation online, and i call him, then he told me how to get the herb. You can call him on +2347089275769 or email him at dronihaspell@yahoo.com
God bless Dr Ebacol for his marvelous work in my life, I was diagnosed of HERPES since 2018 and I was taking my medications, I wasn't satisfied i needed to get the HERPES out of my system,I searched out some possible cure for HERPES i saw a comment about Dr Ebacol, how he cured HERPES,DIABETES,HIV,and CANCER with his herbal medicine, I contacted him and he guided me. I asked for solutions, he started the remedy for my health, he sent me the medicine I took the medicine as prescribed by him and 14 days later i was cured from HERPES, Dr Ebacol truly you are great, do you need his help also? Why don’t you contact him through his EMAIL: drebacolherbalhome1@gmail.com call or whatsApp him on +2348159042641
ReplyDeleteNever give up in life they all say no cure to HSV 2 which is a big lie I have pass through many process also i never believe there is really cure to HERPES until I meet Dr.Aire the doctor that have been helping many people for many years, I come across this doctor online when I was searching for cure online I found out about this man, and to my greatest surprise this man have the herbal medicine which I have been looking for years I explain my problem to him through the email I found on someone who testify about him also, Dr.Aire write me a reply and explain how the process work so after ordering for the medicine I got it within 4 days and I took it according to the way Dr.Aire instructed, I was so happy after two week I took the medicine there was very big change in my health when I was done with the process I go for test, I found out I am negative that was the day I have the tears of joy you can also get in contact with my doctor through his email now drairehome@gmail.com or you can also WhatsApp him +2347036740271. And He also have herbs medicine to cured the following diseases; eczema,urethra wart,chronic problems.Herpes, Cancer, Als,Hepatitis, Diabetes, HPV,Infections,ulcer ETC
ReplyDeleteI have be living with Oral herpes for over 4 years now and it has be a big problem for me.I have been looking for solution because i can't leave with it, One day i came across a woman testimony on a forum saying she got cured of her Herpes with the help of Dr OBUDU an herbal doctor from African with herbal medicine. At first i did not believe because i was not sure herbs can really take this virus away,but i have no choice than to give it a try and contacted him with his emails, i explain my problems,.. then he told me not to worry that he will prepare the a cure with herbal mixture and send it to me, i got the medicine after 4 days delivery and i use as instructed. After 21 days when the herb got almost finish i went to a medical doctor, i did a test and discover that the virus was gone, and my test result were HSV 1%2 negative,i was so surprise and happy! then i wrote Dr OBUDU and thank him for getting me cured from herpes. I advice you to contact this great herbal doctor OBUDU as he have cure for different kinds of diseases.i decided to share this testimony to let others who also suffer from herpes know about this and give hope to others, you can reach him via Email drobuduherbalhome@gmail.com also https://drobuduherbalhome.wixsite.com/welcometoobuduherbal WhatsAPP number +2349023428871 ,......
ReplyDeleteI'm really happy that i have been cured from (HERPES) HSV1&2 DISEASE with the herbal medicine of DR. Ehimare have been suffering from this disease for a long time now without solution until i came across the email of this doctor who have cure so many people with his herbal medicine, i also choose to give him a chance to help me, he told me what to do and i kindly did it, and he gave me his herbal medicine and direct me on how to use it, i also follow his instructions for use and he ask me to go for a ly help you. I know that there are some people out there who are really suffering and hurting their family just because of these diseases. you can get to him through email: drehimare3@gmail.com or WhatsApp him + 1 (267) 691-1087check up after 3 months which i did, to my greatest surprise my result came out as negative, i am really happy that there is someone like this doctor who is ready to help anytime any day. To all the readers and viewers that is doubting this testimony stop doubting it and contact this doctor if you have any disease and see if he will not actual
ReplyDeleteWhat a miracle i never believed there is a cure to herpes virus, because my doctor tested me Herpes positive and she told me there is no cure, that statement broke me down but i never gave up completely, i am very happy today that i’m having a free life without this sickness, i can remember some months ago when i was crying all through day and night that i can’t get cured from this sickness, not until i found this amazing Dr Aboda email on internet when i was doing research on cure for Herpes virus. I contacted him to find out if he can get rid of this sickness. I was so surprised when he told me that he has medicine to cure it. Dr Aboda then sent me the natural medicine, In 3 days I received the package via Fedex, I was so happy when I got someone giving me hope that he can cure me so I took the medication for just 2 weeks, as he instructed me to use it. when i went for test after taking the natural medication i found out that i was cured i was so happy and surprise, i want to use this opportunity to inform you that there is a cure to Herpes you can also contact him for his help as soon as possible so that you can get rid of this sickness once and for all you can reach him through via email: drabodasolution@gmail.com
ReplyDeletecall/WhatsApp +2349012479806
https://dr-aboda-solution-home.jimdosite.com/
Facebook Page: https://www.facebook.com/Drabodasolutionhome/
For more info about Dr Aboda you can contact me via: angle44wargo@gmail.com
Am really grateful and thankful for what
ReplyDeleteDR OGBEIFUN has done for me and my family. I have be suffering from Lupus for good three years with no solution, the disease almost took my life and because I was unable to work and I was also EMAIL ADDRESS: DROGBEIFUNHERBALHOME1@GMAIL.COM
WHATSAPP: +2348050680253
WEBSITE: https://doctorogbeifun.wixsite.com/drogbeifunherbalho-1
ETC.....osing lots of money for medication, but one faithful day when I went online, I met lots of testimonies about this great man so I decided to give it a try and to God be the glory he did it. If you need his help or you also want to get cured just the way I got mine, just email him on..
FOLLOW YOUTUBE CHANNEL: ππππ
https://youtube.com/channel/UCyjTV3aK66o41h-TKyHn4dg
ππAnd get your healing, He also has a cure for other deadly diseases like Herpes, high blood pressure, Hepatitis, Cancer, Lupus etc..