Authentication methods failed

The password: the single most prolific means of authentication for enterprises, users, and almost any system on the planet is the lynchpin of failed security in cyberspace. Almost everything uses a password at some stage. Basically, every application that is used, as well as every VPN, and even every machine on the planet uses a password for its means of authentication, as do administrative tools and internetwork shares and firewall systems. Everything, everywhere, has a password.

While that seems like a relatively simple and useful means of implementing security via authentication, passwords are only secure if they stay unknown to those who aren't the user of that password.

Over the past half-decade, almost every major instance of repository for usernames and passwords has been breached at one time or another. In 2019, an independent researcher released a list of over 700 million known breached emails and usernames that could be combined with over 20 million compromised passwords.

Those usernames and passwords came from breach postings related to Yahoo, Equifax, OMB, Target, Home Depot, and hundreds of other instances of breaches of usernames, passwords, and authentication-related information. The Have I Been Pwnd or HIBP service claims to have more than 8 billion total records available that are the result of more than 400 worldwide data breaches.

Thanks to all those compromised credentials, there is literally a nearly 100% certainty that each person on the planet has at least one compromised account. The fact that there are not 8 billion users on the internet, and there certainly aren't 8 billion users on any one corporate system, exponentially increases the likelihood of a multitude of those credentials being viable for an exploitation operation.

Using the tactic called credential stuffing, wherein a malicious actor simply uses a brute force attack on a target system to attempt to gain access via compromised credentials is exceptionally easy for threat actors. Many applications do not limit login attempts, or if they do, simple scripts can be used to wait for the timeout to pass, which allows threat actors to continually hammer away at a target asset until a valid set of credentials is found.

The criminal underground, as well as nation state threats, are known to possess vast troves of compromised password and username sets and have been observed "in the wild" repeatedly trying to gain access to systems via those simple means. In most cases, it is nothing more than a matter of time before some set of valid credentials is found.

Over a 17-month period, the security team at Akamai, which has security intelligence assets deployed globally, recently detected over 50 billion credential-stuffing attacks against a variety of targets (Constantin, 2019). Any one of those billions of attempts could have, and in some cases did, result in access to networks and infrastructures that maintain sensitive corporate or government data. One valid credential pair out of billions of attempts and an entire enterprise perimeter begins to crumble.

Consider also the typically abysmal construction of passwords by most users. In studies published as recently as 2019, two of the most prolific passwords in use globally were "password" and "123456." SplashData, an independent data research firm, conducted a study that noted the following as the worst to use, but those worst passwords have not changed in the same study conducted annually over a period of 4 years.

So, while users are intimately aware of the power of the password, that is, the accesses that are afforded that point of control, they continue to use those same easy-to-guess, blatantly ignorant passwords in all manner of their daily lives.

Added to the failure of users to adequately design their passwords are those other instances of failed perimeter-based security practices, namely that everything revolves around the use of a password for access and control, and that in most small and mid-size organizations those terribly insecure passwords are not blacklisted from use. As noted, even an organization as large as Equifax had "admin" as a password on networked assets.

Even members of Congress and famous media personalities have been found to be using weak and insecure authentication methods and passwords. Representative Lance Gooden of Texas, who co-sponsored a bill titled "Cybersecurity and Financial System Resilience Act of 2019," was seen accessing his phone during a congressional committee hearing with the passphrase "7777777." Kanye West's phone passcode was seen to be "0000000" during a televised meeting with President Donald Trump. One would think that those high-profile individuals, especially one that is literally drafting legislation for cyber security in banking, would be focused and educated on using solid passwords and authentication methods, but obviously they aren't.

Logic would suggest that if any password would be impossible to crack and composed of intricate schemas to prevent the asset misuse, it would be in the US Minuteman Nuclear Weapons program. In a 2004 memo, Dr Bruce Blair, a former Minuteman weapons officer, stated that "the U.S. Strategic Air Command (SAC) once intentionally set the launch codes at all Minuteman nuclear missile silos in the U.S. to a series of eight zeroes."

In 1962, President Kennedy ordered his Secretary of Defense, Robert McNamara, to have a system called PAL, or Permissive Action Link, installed on all Minuteman nuclear weapons in the US arsenal. However, thanks to the sloth of the US Air Force in implementing those controls, and a general hatred within the US Air Forces leadership for McNamara, those changes took more than two decades to be deployed.

Dr Blair said in his memo that the standard operating procedure for US Minutemen officers was to be sure that "our launch checklist in fact instructed us, the firing crew, to double-check the locking panel in our underground launch bunker to ensure that no digits other than zero had been inadvertently dialed into the panel." In other words, the weapons team was told to make sure the "00000000" passcode was hardcoded into the sequence for the command and control of the 50 Minuteman nuclear missiles.

While this did not mean that it was any easier for an inadvertent launch to occur (there are many other checks that must be performed), it does mean that a very critical component of the launch sequence for the US strategic nuclear weapons was reliant on a simple 8-digit passcode comprised entirely of zeros.

While the anecdote on the Minuteman program is slightly tangential, the point is that even in an organization as strictly structured and disciplined as the US Air Force, password management is usually a woefully inept practice. If an organization with that much power and that much responsibility can ignore a best practice in password management for 20 years, what hope does the average enterprise or user stand?