Enhanced password security crucial in the wake of data breaches

Dec. 23, 2024
Even as cyber threats grow complex, consistent execution of simple, common-sense security practices remains our strongest defense.

Although password-based credentials have always been popular attack vectors, they’ve become even more enticing targets due to the emergence of cybercrime marketplaces and Malware-as-a-Service (MaaS). As a result, threat actors need not depend on outdated password-cracking techniques, as with 2024’s Snowflake breach

In early 2024, cybercriminals utilized Infostealers to extract the credentials of Snowflake users who had only set single-factor authentication for their production accounts.

The hackers then leveraged these stolen credentials to pilfer over 560 million customer records linked to organizations like AT&T, LendingTree, Ticketmaster, and Santander Bank.

This shows us that as cybercriminals continue to evolve their tactics, old static password management techniques cannot sufficiently address current and future exploits. Hence, there is a need for more adaptive and dynamic measures.

Analyzing the Aftermath of Data Breaches

In 2024, the global average lifecycle of a data breach shrunk to 258 days, a seven-year record low that signifies hope in the war against digital crime. However, this could also mean that cybercriminals are simply more efficient at doing damage, despite the breaches themselves being easier to uncover.

Thus, it’s important to grasp the data breach lifecycle. Of course, every attack is different, both in its approach and its consequences, but experts generally agree on the following nine stages:

  1. Initial breach: A threat actor uses an exploit to gain unauthorized entry into a network, database, or server.
  2. Discovery and investigation: Detection occurs upon which the organization or its designated stakeholder launches an investigation.
  3. Containment: After the investigation determines the scope and impact of the breach, the organization contains the violation and prevents further unauthorized access. 
  4. Alerts and notifications: Per Article 33 of the GDPR, the organization informs all data parties and relevant supervisory authorities. 
  5. Remediation: The organization applies necessary amendments to address the threat vectors that led to the breach. This can include software updates, revising security protocols, and enforcing additional security measures.
  6. Recovery: The organization restores all systems to working order.
  7. Post-breach analysis: The organization performs a final analysis to understand the breach and prevent future incidents. 
  8. Legal and regulatory actions: The breach may result in legal and regulatory consequences that the organization must address. 
  9. Reputation management: The organization takes the necessary steps to mend its reputation and rebuild stakeholder trust.

The period during which the exposed digital assets are most vulnerable falls between the initial breach and the organization's awareness of the fact that they’ve been hacked. By reducing this vulnerability window, you can shorten the overall lifespan of the data breach and minimize its impact.

It is important to note that organizations that achieved short vulnerability windows (and reduced the global average data breach cycle) weren’t using traditional means. Thus, this affirms the obsoletion of some of these old-hat response mechanisms and makes a case for an overhaul in password management. 

Sophisticated Password Management Frameworks

Over the last few years, we’ve seen the introduction of new generation hashing algorithms like Argon2 and Scrypt. These highly advanced algorithms were developed to combat GPU-based attacks and large-scale custom hardware attacks.

Scrypt is especially useful against application-specific integrated circuits (ASIC) and Field Programmable Gate Arrays (FPGA) attacks. Although these algorithms are resource-intensive, they are easy to integrate into databases and applications.

Advanced Salting and Peppering Techniques

Another way organizations can further secure sensitive customer data is by using advanced salting and peppering techniques. This technique programmatically applies additional secret values or characters to passwords before encryption and storage. Thus, even if a bad actor manages to decrypt a stored password, it will still be obfuscated.

Bcrypt is an example of a highly adaptive algorithm that combines hashing and salting. It’s beneficial against rainbow-table attacks.

These techniques aren’t foolproof. They’re ultimately designed to slow decryption down and stall after a breach. Password managers are still worth using as part of your personal or organizational security arsenal. However, they must have ample features to ensure the safety of your passwords. 

Decentralized Authentication: Promising Solution or Smoke and Mirrors?

Decentralized authentication introduces a new paradigm to user credential management. Users manage their sensitive data as opposed to a single vendor or company doing it.

Most current decentralized authentication systems leverage distributed databases and public ledger systems like Blockchain. These systems can lend themselves well to fulfilling Zero Trust requirements.

For instance, users can leverage them to perform zero-knowledge proofs, enabling you to validate answers to security questions without revealing data. Because we can access decentralized authentication systems across various systems, they are far more conducive to cross-platform integration than other approaches.

Decentralized authentication systems can take some of the security off the shoulders of companies, IT security teams, and software developers. Most of the time, despite all the users’ faults, the burden of responsibility falls upon the developer—whether they use the right tools to test their app, whether their software partners are compliant with relevant security postulates, and what proactive steps they are taking to prevent phishing attacks.

Decentralized authentication shifts this. Instead of a single point of failure that the developer or company supervises, users are completely responsible for their data on a system that renders them anonymous. It’s a win-win. 

Leveraging Behavioral Biometrics for Security Enhancements

Many organizations have begun to use behavioral biometrics as either an additional layer of authentication or as complete replacements for passwords.

Behavioral biometrics are safer than passwords because they identify people by their unique physical traits and movement patterns. Biometrics isn’t a new concept.

Whereas traditional biometrics use static physical features such as facial recognition, iris scans, and fingerprints, behavioral biometrics use more subtle and nuanced cues. These cues can be a combination or permutation of how users move their mouse, the sound of their voice, their strides, posture, etc. 

Strategic Implementation of Advanced Security Protocols

Businesses should integrate advanced password security using adaptive complexity requirements, passwordless options like biometrics, and multi-factor authentication (MFA).

At the same time, you should encourage measures beyond password manager use and educate employees on phishing risks to reduce human error and enhance overall security awareness.

For risk assessment and mitigation, adopt a Zero Trust model, conduct continuous threat modeling and penetration testing, implement layered security defenses, and use automated responses to manage incidents. To fully benefit from ZT, you must: 

  • Use adaptive password complexity based on user behavior.
  • Implement passwordless authentication, such as biometrics.
  • Ensure MFA for critical systems with adaptive requirements.
  • Encourage the use of password managers.
  • Regularly conduct threat modeling and penetration testing.
  • Implement Zero Trust to verify all access attempts.
  • Deploy automated incident response systems.

Future Trends in Password Security and Authentication

Every positive advancement in computing can be repurposed for nefarious uses. For instance, quantum computers can break many of the encryption algorithms we have in place. The National Institute of Standards (NIST) has worked on quantum-resistant algorithms to combat this.

AI-driven threat detection and machine learning systems can quickly create exposed password databases. This will, in turn, provide password management and security systems with the latest lists of weak or compromised passwords.

As the network and cybersecurity landscape evolves, how quickly and efficiently organizations can respond to attacks and comply with data protection regulations will take center stage.

Conclusion

Targeted campaigns and data breaches can have a cascading effect. They thrive on the carelessness and ineffectualness of their marks and can be hard to stop once they gain momentum.

Despite bad actors adopting increasingly sophisticated methods to infiltrate networks and steal data, protecting ourselves still mainly involves consistently executing simple, common-sense security protocols and practices.

For instance, using strong, unique passwords, implementing multi-factor authentication, avoiding password sharing, etc.

However, protecting ourselves from the next generation of digital threats will require more than this. Cybersecurity professionals must be proactive in their development of new approaches to digital security. Essentially, we must continue to stay vigilant, informed, and adaptive.

About the Author

Isla Sibanda

Isla Sibanda is an ethical hacker and cybersecurity specialist based in Pretoria. For over twelve years, she's worked as a cybersecurity analyst and penetration testing specialist for several reputable companies, including Standard Bank Group, CipherWave, and Axxess.