There are several reasons why authentication using a username and password is insecure. The turn towards passwordless forms of authentication speaks to the vulnerability and permeability of password-based authentication. Often, exploits related to passwords stem from users’ poor password practices—though this isn’t always the case.
Let’s explore exactly why passwords are insecure.
Using the Same Username
Usernames are often common or shared publicly, meaning they have little security value. For example, someone’s social media handle could be the same username they use across different platforms and services.
Using Repeated Passwords
People tend to use the same password to protect many online accounts. Some users even use the same password to secure their personal and work accounts. If a hacker successfully compromises a frequently used password, they can gain broad access to all the resources the password protects.
Keeping the Default Password
Many people don’t change the default password when installing new devices, such as home routers and other Internet of things (IoT) devices. Maintaining these default passwords makes it easy for hackers to gain unauthorized access quickly.
Employees tend to share their passwords to access common services in work environments. For example, you may share your access to a specific cloud application with other individuals in your organization. While this may seem like an easy method of ensuring everyone can access the resources they need, sharing passwords makes it impossible for IT to know who’s accessing and potentially making changes to the application. As a result, there’s no concrete way to determine whether the person accessing the application should be accessing it.
Using Easy-to-remember Passwords
People prefer memorable passwords, but this makes passwords easy for hackers to guess or crack using specialized password attack tools. Nordpass published a report containing the top 200 most common passwords according to 2021 research, citing millions of individuals using the same easy-to-remember password.
Using Insecure Protocols, Networks, and Databases
When accessing an online service that requires authentication, you must provide your username and password. But suppose the online service uses an insecure protocol to exchange information between the user and the web server. In that case, hackers can intercept the unencrypted connection and steal a password transmitted in clear sight.
Additionally, when you access online services, the website you sign into stores your password in a centralized database, known as a credential database. A typical security measure to prevent unauthorized access to a credential database is to use hashing to store the user passwords encrypted in the credential database. Unfortunately, some websites still store users’ passwords in a credential database in unencrypted formats like plain text. If a hacker successfully gains unauthorized access to the server housing the database, they’ll also gain access to all users’ accounts.