Why Password authentication isn’t as secure as you think

Passwords aren’t as secure as you might think.
Passwords are the most common form of authentication. However, they are the most practical and easy to use form of authentication.
Security and accountability are closely connected. Strong authentication systems are essential for organizations to prevent access being denied or granted based on permissions.

Auditing events is the process of recording all activities within the system, resources or users.
This creates a log which records all events that took place within the computer network and, to a certain degree, within the organization’s facilities over a specific time period. Only by recording all events that have occurred, it is possible to assess user activity for compliance or violations.

Authentication is the process by which a person can prove that they are who they claim to have claimed to be.
Most computer networks use authentication to link users to specific accounts. A username and password are required to log in to a computer network.

Authorization is the act of granting rights, permissions, and privileges to users in order to allow them to perform their work tasks.
Authorization can also be used for denying or preventing access to any resource or activity that is not granted to a user. Each user will have their individual access limits, which are tailored to them.
Authentication is the most important of these three security services. If a user account is not connected to a digital identity (i.e., a person), we cannot hold them responsible. A user ID is a unique identification that is linked to a person.
It’s difficult to hold someone accountable if they don’t have strong authentication.

Most services and organizations rely upon passwords to authenticate users.
A single factor authentication mechanism, even if it is password-based, is enough for hackers to impersonate people and log into victim accounts.
Here are some of these ways hackers can obtain passwords:
Password guessing
You can find re-used passwords
Brute force attacks
Plain text database theft
Credential spraying
Lost backup tapes
Social engineering
Shoulder surfing
Keypads that detect infrared heat
Keystroke logging
Phishing attacks
Web spoofing attacks
DNS pharming attacks
Session hijacking
Network traffic sniffing
Attacks on the path

These attacks can be used against any password regardless of its complexity or simplicity. Password compromise is impossible to avoid.
Password-only authentication should not be considered secure, problematic, insufficient, or insecure.

Most organizations allow password selection to remain up to the end-user.
End users prefer simple passwords. It is easier to crack, guess, and discover a password that is simple to remember.
Although there are some good guidelines for password creation most users only follow the minimum requirements in order to avoid breaking the rules. Hackers have the advantage of using minimum requirements as if they were unique requirements. Even if your policy requires two letters in uppercase, most users will only use one. Hackers use human behavior in order to increase their success with password attacks.

Modern password cracking tools, techniques, and policies are not compatible with “standard” or common password security guidelines, policies, or training.
Password chopping occurs when users are forced only to use one or two uppercase letters and numbers.

Author: Victoria