On World Password Day, we have the opportunity to reflect on how we use passwords to protect our business and personal data. LastPass is marking the occasion a little differently this year by calling out World Password(less) Day in recognition of our passwordless future.
Following up on our last post, which chronicled the rich history of passwords, we are now fast-forwarding to the present day. Here's a look at the current state of password security, today's password security threats, how our bad password behaviors make it harder to secure our digital lives. We’ll also look ahead to the next chapter of password history: the fast-approaching passwordless era.
The current state of password security
Passwords may seem to have remained largely unchanged since the 1960s, but that's not exactly the case. As cyber attacks have become more sophisticated and serious in recent decades, password security has gradually evolved behind the scenes to ramp up its defenses in response. For starters, many of us now use password managers to securely store and manage all of our passwords instead of trying to manually keep track of them, and layer multi-factor authentication on top! Plus, the best password managers use encryption to scramble your passwords so that, even if a hacker were to somehow come across those passwords, they would be unreadable and impossible to use. If you use a password manager, then you already know it's critical to keep your vault as secure as possible. This is why LastPass utilizes the Password-Based Key Derivation Function (PBKDF2) to turn your master password (a passphrase, for example) into the encryption key (a series of unrecognizable numbers and letters) to your vault. To grant access to your vault, LastPass performs 600,000 or more rounds of this hashing (or encryption algorithm) function, along with salting (inserting random numbers and iterations) to create the encryption key, before a single additional round of PBKDF2. By choosing to increase the number of rounds or password iterations used in this process, you or your IT colleagues can make it significantly harder for attackers to successfully execute a brute-force attack on your LastPass account. This way, even as computers become more advanced, you can still steadily increase your password security to ward off growing cyber threats.Today's password security threats
Cyber criminals have plenty of ways to compromise our passwords, break into our online accounts, and wreak havoc from there. Here are just a few of the techniques they use:- Brute force attacks aren't particularly sophisticated, but they still work – especially if you haven't set strong or complex passwords on all of your accounts. Malicious actors now use automated tools to try and guess or crack a target's password, for example by running through various words in the dictionary until they hit pay dirt.
- Social engineering attacks, such as phishing exploits, prey on human emotions in an attempt to get you to voluntarily give up personal or business data (for example, by entering login credentials on a legitimate-seeming website).
- Credential stuffing attacks leverage stolen credentials that the cyber criminals have already pilfered themselves or purchased on the dark web. Once they have one of your passwords, these bad actors may try to see if it works for any of your other accounts. If you re-use the same password for multiple online accounts, you may be especially at risk for this form of attack. This is why you should never reuse your passwords, but especially a master password to your vault.
- Keylogger attacks happen when a cyber attacker installs spyware on your computer or mobile device and then records every keystroke you enter, scooping up your passwords so they can break into one or more of your accounts. This is one reason why it's best to avoid using an open or public Wi-Fi network.
- Shoulder surfing attacks can take place when someone in the real world is in a position to see your device's screen as you log into one of your online accounts. If a savvy enough fraudster can make out the password as you're typing it, they may be able to login as you without your knowledge.