Passwords are inherently insecure—and continuing to use them as a primary method of authentication has led to some unfortunate consequences. As the recent Okta breach highlighted, tactics like credential stuffing remain popular among cybercriminals, and are a major cause of breaches in nearly every industry.
These attacks are relatively simple: a threat actor obtains a list of compromised credentials and uses them to attempt to log into other accounts across the internet. It’s an attack predicated on a very simple idea: remembering passwords is hard, so people tend to make them simple—and, even worse, reuse them.
Asking users to remember dozens of unique, complex passwords isn’t reasonable—and while password managers can help, relatively few people use them. Instead of fighting human nature, today’s organizations can limit their vulnerability to credential stuffing attacks by taking proactive steps to reduce their reliance on passwords entirely, embracing a more secure, passwordless future.
The evolution of credential stuffing
Attackers used to take a “spray and pray” approach to credential stuffing, banking on the idea that if they try stolen credentials in enough places, they’ll eventually hit upon a few that work. Unfortunately, now these attacks are increasingly targeted. Threat actors can even sign up for services that will notify them when credentials from potential target organizations go up for sale on the dark web. Obtaining, selling, and leveraging these credentials has effectively become its own little dark web cottage industry.
Eliminating passwords looks like the obvious answer, then—right? Well, it’s complicated. There are roadblocks that prevent many organizations from embracing an entirely passwordless approach to authentication. For example, existing passwordless options are often not compatible with all of their integrations, or they may receive pushback over the perceived hassle it creates. Fortunately, addressing the challenges that make passwords inherently insecure doesn’t demand an “all or nothing” approach. There are steps organizations can take to add additional layers of security and reduce reliance on passwords, moving toward a passwordless (or “password-lite”) authentication strategy that can significantly reduce exposure to credential stuffing and other attacks.
Three steps toward a passwordless future
- Deploy multifactor authentication: Security professionals have been beating the multifactor authentication (MFA) drum for years, and—while it’s far from perfect—MFA does add a critical layer of defense to the authentication process. MFA ensures that an attacker can’t just log in with a compromised username and password—they’d need to spoof a SIM card or take some other step to complete a login. These techniques are possible, but aren’t easy—and attackers are often looking for an easy score, meaning they’re likely to move on to a less protected target. Unfortunately, adoption rates continue to lag, with just 28% of enterprise organizations deploying MFA. That’s a major problem, and while implementing MFA won’t stop every attack, it definitely can help.
- Mandate password managers: For organizations continuing to use passwords, mandating password managers can significantly improve security. However, it's even better to implement some degree of passwordless authentication. Facial recognition and biometrics are reliable and secure, but privacy issues may make some individuals uncomfortable with this type of authentication. That’s okay—today’s businesses have a wide range of passwordless options available to them, including hard token authenticators that don’t require biometrics. Security keys are one such option, as are badges—which are already widely-adopted in industries like healthcare and critical infrastructure to restrict physical access to secure areas. These do pose problems of their own, such as what to do if a key gets misplaced, but they still represent a significant improvement over passwords.
- Improve monitoring: Organizations need to improve their ability to monitor for exposures and proactively notify customers when a potential compromise has occurred. There are services that can notify organizations when their credentials are found on the dark web, and it’s important to have a plan in place to alert affected customers and employees in a timely manner—and automatically prompt password updates before an attacker can act. Perception has become an important element of security, and it’s important for organizations to demonstrate to their partners and customers that they take these threats seriously and have measures in place to both prevent and respond to attacks. Users care about their security, and also they want to know the organizations they work with cares.
By now, passwords have been declared “dead” or “obsolete” numerous times, but they remain stubbornly entrenched as the primary method of authentication for most organizations. Credential stuffing attacks, password sprays, brute-force authentications, and other methods of exploitation continue as a major threat, yet there are concrete steps organizations can take to limit their vulnerability, even if they aren’t ready to commit to fully passwordless authentication. Existing measures like MFA and physical passkeys can significantly reduce the effectiveness of credential stuffing attacks, while careful monitoring, transparent communication, and swift remediation of potential exposures let organizations cultivate a reputation for both trust and security.
Aaron Walton, threat intel analyst, Expel