This is article is based on a presentation given by Tom Stewart, Senior Director of Protiviti’s Attack and Penetration team at IBA’s 2022 Analytics Conference on Cybersecurity.
In 2017, Tom Stewart, the now Senior Director of Protiviti’s Attack and Penetration team, wrote an article titled “The 8 Character Password is Dead.” In the article, Stewart and a colleague reported their finding that for under $5,000 in equipment, every password in a suite of Microsoft security protocols can be guessed or “brute forced” in just seven minutes.
Five years later, the eight-character password is still the standard for corporate America — and it has been since Stewart began working at Protiviti, a global consulting firm, in 2007. The difference? Stewart revisited the process with a cloud-computing system in summer 2022 and found that any eight-character password in the world could be guessed for a mere $62.59.
“Over the past 15 years, there’s been the same standard for passwords, even though I was using a dial-up modem to do hacking in 2007,” Stewart said. “Technology has changed, but the standard for which we hold ourselves to has not changed at all. There’s a shortcoming there.”
Stewart leads a large team of elite hackers, including former Department of Defense and National Security Administration employees. Businesses hire Stewart’s team to hack their systems and emulate what hackers may be doing, including finding data, scenarios, intellectual property, or other private information.
During the 2022 Conference on Analytics for Cybersecurity, sponsored by the Institute for Business Analytics at the Kelley School of Business, Stewart discussed how the standard forms of authentication, like the eight-character password, don’t always provide the level of security that users assume they do.
“Authentication is the core of not only what we do in corporate America, but also the core of what we do in our personal lives,” Stewart said. “It’s arguably the crux of security. If it’s ineffective, there’s no security.”
While most people agree that authentication is important, many might not understand its failings. For example, according to Stewart, although finance is often regarded as the most secure industry, a 2022 study on data breaches found that 80% of 200 financial institutions had an authentication-related breach over the last year. The average number of breaches was 3.4, and the average cost of each breach was $2.6 million.
“What’s staggering is that of those companies that had a breach related to an authentication issue, 90% of them believed they had a good handle on authentication,” Stewart said. “Obviously, there’s a misalignment between what we think we’re doing and what we’re actually doing.”
Types of Authentication and their Shortcomings
Some of the misunderstandings about the effectiveness of modern security relates to specific authentication methods in addition to passwords, a few of which Stewart provided an overview of in his presentation.
The first method he discussed is the one-time code received via text message that users have to enter into a website. A couple of the shortcomings related to text message authentication include SIM-swapping attacks, where a cell phone’s SIM card is stolen, placed in a new phone, and used to request a new username and password.
SIM-swapping is often combined with a social engineering attack in which a person acting as a cell phone company calls a high-profile individual and tells them they need to send in their SIM card to be swapped for a new one. There were around 3,000 of these cases reported to police last year, Stewart said.
Additional authentication methods are mobile applications that generate a code that users enter when logging in; certificates, or files that verify a user’s identity; and biometrics, which include fingerprints and face structure. These have shortcomings, too: codes from mobile applications can also be hacked through social engineering attacks; a file can be taken and put on a different computer, so that machine now thinks that it has a legitimate user; and if biometrics are stolen, they can’t be changed.
“My caution with all of these things is that they’re not a silver bullet,” Stewart said. “It’s not as if, just because you get a text message, you can no longer be hacked.”
If not passwords, then what?
After explaining the shortcomings of these modern authentication systems and demonstrating how quickly a password could be cracked using a cloud provider, Stewart gave a few recommendations: starting with not using an eight-character password. Passwords become more secure and take longer to hack as they get longer and when they include both lowercase and uppercase letters, numbers, and special characters.
“Passwords are just a string of characters, so there’s only so many combinations on a given keyboard for a key space length,” Stewart said. “As you increase the length of the password, the number of combinations increases exponentially. If the website only uses passwords, make it a passphrase. It’s a lot harder to guess ‘Tom loves Indiana University’ than ‘Stewart1.’”
Leave a Reply