As the total universe of passwords will likely grow from approximately 90 billion today to 300 billion by 2020, organizations across the world face a massively growing cyber security risk from hacked or compromised user and privileged accounts. Charged with defending enterprise customers, employees, Internet of Things (IoT) devices—and most importantly privileged account users—from compromise and identity theft, cyber security professionals must raise awareness about protecting passwords, and help change user behaviors by leveraging more effective, automated IT solutions.
In spite of the considerable efforts to replace passwords, they remain the dominant form of authentication on the web and are likely to remain so. Some researchers argue that “no other single technology matches their combination of cost, immediacy and convenience” and that passwords are themselves the best fit for many of the scenarios in which they are currently used.
According to the Microsoft Secure Blog, four billion people will be actively online by 2020. Chances are most, if not all, of those people will need several user names and passwords as credentials for accessing multiple online accounts. Numerous IT industry reports estimate that users can average as many as 36 passwords each. While there is no universal agreement about the number of passwords per user, this report considers 25 passwords per user as a conservative number. Based on this assumption, Thycotic research estimates that by 2020 there will be at least 100 billion human passwords requiring cyber protection.
Plenty of Opportunities to Compromise Passwords
Passwords are often the most vulnerable credentials targeted by hackers. That’s because passwords typically are easy to “crack” with software that automates the process of guessing passwords by exploring countless combinations in very short periods of time. In many cases, humans use the same password for many of their online accounts as an easy way to remember them. Once cracked, these passwords give hackers the “keys to the kingdom,” allowing them access to steal or manipulate proprietary information.
Companies on the Fortune 500 list in 2015, for example, employed a combined total of 27 million people. Thycotic experts estimate that these employees in 2020 will have an average of 90 accounts (combination of business and personal) requiring login IDs and passwords. That would put the total number of passwords belonging to Fortune 500 employees at 5.4 billion in 2020.
A report from the National Institute of Standards and Technology (NIST) revealed that most human account users are suffering from cyber security fatigue—defined as a weariness or reluctance to deal with computer security. The study notes that the average computer users felt overwhelmed and bombarded, and they feel tired of being on constant alert, adopting safe behavior, and trying to understand the nuances of online security issues. When asked to make more computer security decisions than they can manage, users experience decision fatigue, which leads to “security fatigue.”
Typical examples of security fatigue include being tired of remembering usernames, passwords, PIN numbers, navigating multiple security measures, and account lockouts due to incorrectly entered passwords. The study also found that users believe safeguarding data is someone else’s responsibility, and users questioned how they could effectively protect their data when large organizations frequently fall victim to cyber-attacks.
Social Media Extends the Risks
Social media platforms have introduced significant risks due to the extensive use of what are known as social logon or application passwords. To avoid users having to remember multiple passwords for social media accounts, new platforms allow for a single logon to be linked to these accounts. However, these platforms often share customer data without clear transparency to the user.
The sharing of information on social media can often lead to identity theft, virtual kidnapping, or spear phishing against one’s friends, colleagues, or relatives. On many social media platforms, it’s also easy to create fake accounts and/or impersonate others. Furthermore, some people steal others’ photos and present them as their own, or utilize them for nefarious purposes such as using someone else’s photo in an ad for an online hook-up site. On top of this, most social media users do not use multi-factor authentication for logging into social media sites, and many people use weak or reused passwords—putting their accounts at risk of being taken over by hackers.
Therefore, a breach at one site can easily lead to accounts being taken over at other sites. Because many people use Facebook or Twitter authentication and passwords for multiple sites, a takeover of one’s Facebook or Twitter account can, in fact, mean the compromise of many other accounts as well. And, when a hacker takes over a Facebook or Twitter account, the hacker can readily social engineer attacks on the victim’s colleagues, friends, and relatives. High-profile breaches alone add up to nearly 3 billion stolen credentials and passwords.
The Need for Privileged Identity Management (PIM) and Dynamic Security
In an ever-expanding threat landscape, properly protecting passwords often makes the difference between a simple hack and catastrophe. Many companies today still sacrifice security for ease of use, and tend to rely on passwords alone to protect access to credentials. Thycotic research highlights the need to balance productivity, ease of use and security in a dynamic environment. That means when the threat is high, the security fence increases. And when the threat is low, the security fence decreases automatically. To manage this dynamic however requires the efficient use of threat detection and intelligence to track activity.
By combining the digital identity, multi-factor authentication, biometrics, behavior analytics and privileged accounts, a company can build a dynamic security fence using a trust score for digital identities to alert and/or challenge access when behavior changes or becomes suspect. Companies can use internal trust definitions or external threat intelligence to determine when security controls should be more sensitive. For example, when a new variant of malware or ransomware emerges in the wild and exploits known vulnerabilities which have not yet been patched, the dynamic security measures can increase the security sensitivity so that when a human or system detects a privileged elevation request from an unknown source, it can be prevent access until additional security controls are cleared such as peer review or an alternative approval workflow. Thus, Privileged Identity Management (PIM) with Dynamic Security can continuously check trust levels, and when a user or systems makes too many unusual or anomalous changes, the PIM system will automatically challenge for additional identification of the human or system.