Detect Compromised Credentials
We are promoting our initiative ” Goodbye password – The future of login” for quite some time now.
We would like to take this up again in this blog post and highlight the advantages of password-less authentication procedures.
However, since the beginning, yes! We first published an article on the three most common hacker attacks at the end of July: https://www.cidaas.com/blog-en/identity-theft-hacker-attacks/ and then an article at the end of August explaining why 4 out of 5 privacy violations are related to weak or stolen passwords: https://www.cidaas.com/blog-en/world-wide-4-out-of-5-data-breaches-arise-from-weak-or-stolen-passwords/.
This is about an inherently mysterious problem: I can eventually guess the secret by simple trial and error.
This problem has so far been solved by firstly trying to prevent or at least slow down brute force attacks and secondly by setting the password strength accordingly high. As a short example a password with 6 lower case letters (26 letters without äöü and ß), e.g. secret, results in 266 possible different passwords. If you set the password strength accordingly high on a password with 12 characters, which is a combination of upper and lower case letters (without äöü and ß), the 10 possible digits and 10 special characters (e.g. !, @, #, $, %, ^, &, ?, / and +), e.g. Geh3imn1ss!2, this gives 7212 possible different passwords. This makes it much more difficult for an attacker to guess the password.
However, now we arrive at the real problem of secrets – the human being. As humans, we do not use randomly chosen combinations of numbers and characters, we follow certain patterns and use certain variations to create passwords that are “easier” for us to remember and comply with the password guidelines of digital portals, as in the example above Geh3imn1ss!2. This leads to the fact that we often use one and the same password, an extension, or a small variation of it. And that makes it easier for the attacker. You do not have to address the entire solution space of 7212 but can search the solution space in a structured way through models, patterns, and especially with already stolen passwords.
How can this problem be solved? – The answer is you cannot!
Simply because users are being asked to enter secure passwords and completely different passwords for each portal, you do not do it. Studies provide a wide range of figures on the number of identities or accounts that users have on digital portals, from 30 to well over 100 – the magnitude shows that users have many accounts and cannot remember a different password for all of them.
As the traditional login is common practice for many people and will continue to be so for some time to come, we are working continuously to increase the security of the existing authentication with passwords. We are also pleased to announce the new cidaas feature Compromised Credentials Detection, which has been in beta testing since this week. With our new feature, we offer the possibility to check users’ passwords against already stolen passwords. By integrating this feature into the registration process, or the password change/forgotten process, users can be notified that their chosen password has been cracked several times or has appeared in stolen password records. In this way, we help users to choose secure passwords that hackers cannot easily guess by using stolen data sets.
Let us think one step further. In addition to memory, a much more important criterion of people resonates – user comfort. Today, users seek and demand the best possible user comfort and punish providers of digital services with non-use if they are not offered. Be it a shop where you cancel the purchase and switch to another provider because the registration form is too long, or the app where the user does not stay logged in or can simply authenticate with the device biometrics, but has to deal with a traditional username and password login.
These are all indicators that the life cycle of the password for the public is coming to an end in the foreseeable future. At the same time, more and more password-free alternatives are opening for users to authenticate themselves securely and conveniently. We, at cidaas, want to further promote password-less authentication and have therefore launched the initiative www.tschuesspasswort.de.
To increase security further, multi-factor authentication methods can be integrated into the login process. To enhance convenience, a risk-based multi-factor authentication system is suitable, with which multi-factor authentication is only requested if there is a suspicion of identity theft or if there is an increased risk.
We are delighted to offer our customers a competitive advantage in terms of security and convenience with the password-less authentication procedures.