As the mercury drops and everyone starts thinking about when to finally switch on their central heating, amidst fears of soaring energy bills, another temperature-related crisis seemed to emerge in the form of thermal password attacks.
It seems that now we not only must contend with creating complex passwords that we are unlikely to remember (unless we write them down or reuse them), but the heat trace left by our fingers on keyboards, keypads (such as those at ATMs) and screens can be used to crack them in minutes, using basic thermal camera technology. Of course, the reality is that the ability to recognise a password using thermal technology has only been done in controlled conditions and it makes for a great headline. The likelihood of people shoulder surfing with thermal cameras is slim, despite their increased availability and use, due to the pandemic.
The harsh reality is that is far easier, quicker, and cheaper for someone to get access to a lot of breached passwords, as they are already being traded on the dark web. To highlight the scale of the situation, the Authlogics Password Breach Database comprises 4.9 billion compromised clear text credentials and is growing at a rate of more than one million per day. This resource is used by many organisations around the world to check their breach status and ensure they are protected, however it highlights the scale of the problem.
The news around the potential to hack a password thermally is also raising awareness of the need to look for password alternatives and the importance of multi-factor authentication (MFA). The benefits of MFA have long been recognised. In fact, earlier this month it was revealed that the global market for the technology would increase by USD 20806 million within the next five years. Factors such as the increase in workforces accessing applications off-site, as a result of the shift to home and hybrid working, as well as the increased use of digital identities and wallets, have resulted in organisations (in the public and private sectors) looking for more secure and convenient ways to strengthen security beyond the username and password. At the same time, they recognise the need to improve the ‘customer experience’, by removing the need for password resets and being locked out of mission-critical resources.
Put simply, MFA is a combination of something you ‘know’ (a password, PIN, pattern, or phrase), something you ‘are’ (this could be a biometric such as a fingerprint or facial recognition), and something you ‘have’ (a mobile device, key, card etc).
However, whilst the transition from username and password to MFA can be done quickly and seamlessly, it is crucial that it is well-planned, and project-managed. It is for this reason that organisations currently in the process of moving to MFA or having it in their security strategy for 2023, are preferring to take a stepped approach, beginning with Password Security Management.
Password Security Management presents a way to ensure that not only does every password in use adhere to industry best practice guidance (NIST is typically considered the gold standard), but should a breach occur, whether it be the result of phishing attacks, thermal cameras or one of many other attack vectors, the problem is identified and remediated before it can cause significant harm. The scale of that harm should not be underestimated, with the global cost of cybercrime predicted to be in the region of a staggering USD 8 trillion in the coming year.
It is important to stress that Password Security Management and MFA are not the preserve of large multinational enterprises, and neither is the risk of attack. Most cyber-attacks are focused on SMEs (seen as easy targets or the conduit to a larger prize) and many will not be trading within six months of such an incident. The threat is large and the cost of doing nothing is great. Discovering a breach is the fastest way to get the temperature rising!
For more information about Password Security Management and how you can begin your journey from passwords to MFA visit: www.authlogics.com