Passwords for everything. Why are they still terrible?

Passwords that update every 30 to 90 days sound safe, in theory. But some employees, inundated with too many passwords and too many updates, will schedule the passwords in open calendar invites. Chilling, in a skin crawling way.

"This way, they can access their passwords at all the times from their calendar. And some individuals didn't know that calendar was shared," Bassam Al-Khalidi, founder and co-CEO of Axiad, told CIO Dive. "Basically, if somebody just went to their calendar, double clicked on their week, they can see all the passwords."

Passwords used by nontechnical end-users are just one place authentication exists. Across the digital world, passwords remain the backbone of computing, even as zero trust challenges their relevancy. Passwords still exist across tools and solutions because they have been a fundamental component of security. Moving away from them "just became more complex over time," said Al-Khalidi.

Passwords are the cockroaches of cybersecurity, yet the methods for managing them don't have to live forever.

"We're not reinventing the wheel here," said Al-Khalidi. When the first computers of the digital era rolled out, "everything was enclosed within that computer. You physically had to be sitting in front of it to have access to it."

As systems matured, computers could connect to some sort of mainframe and connectivity grew to anywhere, anytime, opening risk to widely-used internet services and protocols.

This year "populations of grossly insecure" internet services decreased, including in server message block, Telnet, Rsync, and email protocols, according to Rapid7's National/Industry/Cloud Exposure Report (NICER) report. Secure Shell (SSH) and DNS-over-TLS, which are "more secure alternatives," have increased in use.

"Everything was enclosed within that computer. You physically had to be sitting in front of it to have access to it."

Bassam Al-Khalidi

Founder and co-CEO of Axiad

"The internet as a whole seems to be moving in the right direction when it comes to secure versus insecure services. This is a frankly shocking finding," given the health- and economic-related crises the world is facing, according to the report.

However, even SSH is subject to failings in usernames and passwords. SSH vulnerabilities are commonly linked to "unchangeable, vendor-supplied usernames, passwords, and private keys that ship with IoT devices that (correctly) have moved away from Telnet," an internet-based application protocol, according to the report. Even SSH's cryptography doesn't shield it from risk.

Companies cannot assume the passwords they inherit from their vendors are foolproof. Rapid7 noted, "password reuse is weirdly common in SSH-heavy environments," and requires password protection to maintain a SSH-based infrastructure's security.

As for the longevity of SSH, researchers noticed a 13% increase in SSH, though "we're hoping to see a reduction in SSH over time as more Linux distributions mimic Ubuntu and adopt WireGuard7," to guarantee remote system connections are secure.

Security vs. usability

Early computers only stored passwords saved on the actual hardware, now passwords cascade across systems, networks and users. When the perimeter expanded outside an organization and employees started taking laptops home, "it was the dawn of the VPN and all that excitement," said Al-Khalidi.

And with the exchange — freedom for more passwords — users became inundated with authentications.

Working from home, employees have to use multiple passwords just to start their day: device login, VPN activation and maybe a system login. Employees could use up to 20 passwords daily for authenticating different applications and resources. There is a very good chance employees are recycling passwords across their personal and business accounts, said Al-Khalidi and Alberto Casares, VP of threat research at 4iQ.

"I think that's why we cannot really avoid using passwords."

Alberto Casares

VP of threat research at 4iQ

The balance between usability and cybersecurity is the main problem, Casares told CIO Dive. "I think that's why we cannot really avoid using passwords."

Though the shutdowns might have boosted companies' use of Outlook 365 and G Suite for email, more companies are "giving up" on hosting their own mail infrastructure, according to Rapid7. Qualified providers are better equipped for filtering spam and phishing, especially since more than half of emails are considered spam.

Cybercriminals are using different types of malware to infect devices, crack passwords and get the plain text. "Imagine that someone gets out and has access to your Gmail, Hotmail or Outlook account, which is your personal account. You probably have that linked with your bank, so the guests are getting access to one email account, that could mean that they have access to all your features," said Casares.

Since the pandemic sent them home, 72% of employees are "more conscious" about their employers' cybersecurity standards, according to a TrendMicro survey of 13,200 remote workers. However, two-thirds of employees have uploaded corporate data to personal devices.

Email remains the most favored mechanism for phishing attacks and password-stealing malware, according to Rapid7. "There are at least two serious vulnerabilities in popular mail servers Exim and Microsoft Exchange deployed today."

Personal email accounts and their weaker passwords could potentially lead to business email compromise, especially with constant password recovery. If "my personal email is linked to my professional email and I click 'forgot your password,' retrieve the code in your personal email and change the password from that," hackers can get access to the corporate email, according to Casares.