Passwords are a government security nightmare

By John Hertrich, CEO at Identité - June 12, 2020

Source: GCN

The Small Business Administration blamed an internal error for its recent leak of at least 8,000 Economic Injury Disaster Loan applications. Whether or not a “glitch” is to blame (many officials doubt that it is), this latest headline-making blunder reminds government agencies to review how they’re preventing sensitive data from ending up in the wrong hands.

Such news stories attract hackers to government agencies like moths to a flame; it tips them off to which agencies are likely still using antiquated techniques to protect their treasure trove of Social Security numbers, employee credentials, tax IDs and more. Hackers also know that agencies have been forced to quickly shift to remote work during this global pandemic and are scrambling to maintain security in a new, complex environment.

There’s a simple security measure that could take phishing attacks out of the equation and remove one of hackers most useful tools: getting rid of passwords.

Given the number of breaches due to password theft, it’s a wonder agencies are still using passwords despite their high risk exposure.  According to research from Verizon, over 80% of all data breaches involve stolen passwords, making it time to stop pretending passwords are still an effective security measure.

Employee risk factors

Nearly 90% of successful data exfiltrations and breaches in the federal government over the past few years were the result of phishing attacks, according to the director of the National Counterintelligence and Security Center. This is an even bigger threat as government employees working remotely are downloading new tools daily and accessing various networks. In a work from home (WFH) environment, security and IT teams have very little control or oversight. While it’s tempting to believe everyone is following exemplary security practices, the reality is that government employees are reusing passwords just like everyone else.

This means that passwords used for sensitive government activities may also be used on consumer sites at risk of being hacked. Recent breaches at HomeChef and EasyJet put consumer login information at risk, but it’s the breaches that haven’t been publicized that place users at greater risk. With the average person reusing their favorite password at least 14 times, it’s easy to do the math and see the size of this risk.

Passwords are a liability

Of course, it’s users’ responsibility to keep the password to themselves. For a password to work, however, organizations must know the password to verify it. This is typically done in a secure database known as a credential vault.  Just as criminals rob banks because that is where the money is, hackers break into credential vaults because that’s where all the passwords are.  This makes the use of passwords a liability to the organizations that use them to secure critical data.

Hackers seek out passwords

Hackers can often take advantage of poor security settings and compromise the credential vault that stores all of a network’s usernames and passwords. More often than not, however, all hackers really have to do is send users an email tricking them to give up their password. In 2018, the Defense Information Systems Agency reported that the Defense Department had fended off 36 million malicious emails from hackers containing phishing schemes, malware and viruses. With one simple click of a link in an email, users are whisked away to a site that looks just like a page they are familiar with, and in seconds they can share critical login credentials. 

If this seems too easy, there are a host of other far more sophisticated schemes in hacker’s tool chest, including keystroke loggers, spyware or mobile malware. If passwords were supposed to be a secret, then this is a good reason why they are not working. 

There are other options

Is there something better than passwords for gover