Securing logins ... what's the worst that could happen?

Every human is hardwired to multiple devices and services, each with its own identity access points and passwords. Repetition is born out of necessity, and some hackers use redundant credentials for easy, malicious account access.

To avoid an island of misfit passwords, many users turn to password managers to control an archive of different passwords. But even those are susceptible to a hacker's immorality.

Password managers at their core have a weak point: passwords. If a manager is compromised, malicious actors have the keys to a user's kingdom.

Passwords may actually be the worst case scenario for cybersecurity. Solutions for more secure authentications are emerging. But when considering how often passwords are at the root of a cyberattack, those solutions are not coming quickly enough, said Phil Dunkelberger, CEO of Nok Nok Labs, a founding member of the FIDO Alliance, an industry alliance working toward stronger authentication.

Are passwords the sole cause of breaches? Absolutely not, but because of their "brittleness" they stand firmly as a "contributing part of the problem," said Dunkelberger. Once one privileged user's credentials are stolen, "it is painfully easy for a hacker to elevate [their] capability," especially when it's linked to a single sign-on system.

When your password manager can't be trusted

The compromise of a security vendor is worth noting, but the occurrence of hacked vendors letting customers down is an unyielding trend.

Password management systems "are a tempting target because those walls contain credentials that can be used against a variety of systems" and the stolen credentials can be stored for a later breach, said Merritt Maxim, principal analyst at Forrester.

In an ideal world, a password manager would be enough to thwart the mischievous activities of hackers. But hackers are clever and perimeter defenses are only so effective.

To avoid an island of misfit passwords, many users turn to password managers to control an archive of different passwords.

So even when a single access key to the password manager is made of pure Teflon, they are not immune to the cleverness of hackers. Such was the case in 2015 when LastPass Password Manager was breached.

The company was compromised after unusual activity was detected on its network, which ultimately led to the discovery of a breach in user emails, password reminders, server per user salts and authentication hashes, according to LastPass.

In order to secure its "fortress," the company was able to block the activity and avoid a breach of encrypted data, which includes the master password created by customers.

The company still encouraged its customers to change their master passwords following the intrusion, but the individual passwords attached to the master key could remain as they were.

Even though it was a near-nightmare scenario, the breach of LastPass should not scare companies away from using some form of password management.

When passwords are as weak as '123456'

Preserving password hygiene is tiresome, and for many, password management eases the burden, particularly in an increasingly dangerous threat landscape.

Nearly one-third of cyberattacks are made possible through stolen credentials, according to a Forrester report. Some U.S.-based organizations designate more than $1 million a year just for the support costs of password management, including professionals and infrastructure.

And yet, 42% of employees try to remember their passwords without storing them while 17% write them down on a notepad. Those are the two most popular forms of individual password management.

When all that stands between a data breach is a sticky note with passwords, companies should have every reason to reevaluate their password management of choice.

So even when a single access key to the password manager is made of pure Teflon, they are not immune to the cleverness of hackers.

However, there is always the possibility of internal threats. Almost one-quarter of breaches were a result of internal attacks from the last year. And of those, 50% were laced with abusive or illegal purposes.

"Even if those passwords are stored encrypted, the administrator of that directory theoretically has the above average access to things and if they were maliciously inclined, they could potentially have access to user credentials that could be used for insider theft or other kind of fraud related things," said Maxim.

When the threats are coming from the inside

To prevent corrupt employees from accessing data that is readily available to them, an auditing or logging tool can be used to see if an administrator is trying to download a cache of authentications.

But known cyberattacks, like Not Petya, finagled password guessing as a very successful tool.

"In the kind of old days of IT, password cracking actually required kind of brute force computing where you actually needed lots of servers to actually try to run against an encrypted password," said Maxim.

What's happening in the interim is hackers are using rainbow tables. "Given that there's a set of known commercially available encryption algorithms that are used to hash passwords, hackers have actually gone in and pre-computed the actual encrypted hash for thousands of password combinations," without "brute force cracking," said Maxim.

With just a web browser and a rainbow table, hackers can steal a "data dump of encrypted passwords" to find matching texts and reverse engineer a password. But this type of password scraping is most powerful when dictionary-based words are used.