World Password Day: Passwords under massive attack

Every first Thursday in May is World Password Day. Time to take a look at the current state of affairs. In a nutshell: It doesn't look good, but solutions are there - but they need to be used.

Accesses that are only secured with a user name and password are now considered to be massively at risk. Without further measures, tapping into these two pieces of data is enough to gain access to a service or offer. Everyday phishing attacks prove that there is still potential for cyber criminals to enrich themselves fraudulently.

Professionalized attacks on access data

Access data captured in data leaks and data dumps from the digital underground are often somewhat outdated. In many cases, the passwords for user names no longer match, for example because the users have changed them after the data leak became known. There is a noticeable trend for cyber criminals to try and exploit this data nonetheless. Over the past twelve months, we have frequently reported so-called credential stuffing attacks. Most recently in March and April, for example, attackers tried and are still trying to cross known usernames with various passwords in order to gain unauthorized access to services and online offerings. This week, for example, the identity verification service provider Okta warned of a massive increase in the number of attacks. The attackers were also hiding behind residential proxies, i.e. anonymously redirecting their internet traffic via third-party computers.

If access protection is only possible with a user name and password, passwords should be as long as possible and individual for each service. The use of a password manager is therefore still advisable- it helps with the automatic creation of long and random passwords and also remembers them for the user. To help sloppy manufacturers, the British government has now even passed a law banning devices with weak passwords – hopefully the death knell for the infamous "admin/admin" combination.

If supported by the service in question, users should definitely enable multi-factor authentication. Before letting the user in, the software requires a fingerprint or a short-term PIN, for example. However, biometric access security, which is considered quite secure, is particularly difficult to implement for web services – a situation that Passkeys want to solve.

Passkeys are the future, really!

Passkeys can now also be managed with most password managers. Together with the WebAuthN standard, they have been under development for some time, but it is only since the last World Password Day that Google, for example, has started to offer this mechanism at all. Apple and Microsoft have also only been offering this to all users since last year.

For those interested, c't has explained how passkeys work in detail. A device is authenticated against a service, the secret private key is only stored locally and never leaves the device. After entering a PIN or confirming with a fingerprint or by smiling at the camera, the service then confirms that it is the real owner of the access: Phishing no longer stands a chance.

In the case of passkeys, a device may be lost or broken. In this case, the passkey is lost. A backup passkey should therefore always be created. A FIDO2 security key - a small USB dongle - can be used for this purpose. We have taken a closer look at the Token2 T2F2-PIN+ Release2 and are quite impressed with it so far. Google also offers FIDO2 sticks with the Titan security key, for example. However, the passkeys on them cannot be managed, which can make them very difficult to use.

The situation has hardly changed since the last World Password Day in 2023. However, we had observed more data theft and the sale of captured access data on the darknet, for example. Cyber criminals now seem to be focusing on the harvesting of these data records. They use them to try to break into accounts directly or to carry out even more targeted phishing. Multi-factor authentication and passkeys offer better protection.

(dmk)