There are two key questions anyone associated with business and data need to ask themselves:
- Does our company still have a password database and, if so
- Why?
The simple fact is that there is no reason for any company to have a password database anymore. It is now estimated that 81% of all hacking related breaches involve the use of stolen or weak credentials (source: DIBR). And we need to put this in the context of 8 billion authentication credentials having been stolen since 2013, with all that this implies for damage to a company’s business and brand reputation.
Today, most forms of security (despite many being based around two-factor authentication) are extremely vulnerable because they are still reliant on databases to store passwords and other authentication credentials such as phone numbers.
For instance, consider these three prevalent but vulnerable examples:
- Two-factor authentication – this involves a user providing authentication information in addition to a password to prevent compromise of an account.
- Passwords and/or API keys (secret tokens) – this is where stored credentials are sent from a browser/client to a back-end service to authenticate a user or application.
- Public Key Infrastructure (PKI) and certificates – these are mainly used to prove the authenticity of a website to the web browser a person employs to connect to a site or service.
Why Hackers love Password Databases
Each of these systems relies on a database of stored credentials and is inherently vulnerable; a password database breach is the single largest cybersecurity threat to any company. We only have to look to a few recent examples to see evidence of this such as the epic and long undetected Yahoo! security breach as well as allegations surrounding email accounts in the recent US elections.
Most breaches involving stolen passwords and other authentication credentials are not detected for a while, allowing a hacker to move undetected across a network. This enables criminals not only to engage in theft but also to damage systems, and perhaps plant malicious code to destroy the integrity of the system so that what we see on the screen is not actually what is happening behind the scenes.
For an interesting representation of the endless challenge, check out World’s Biggest Data Breaches & Hacks — Information is Beautiful
Can you replace a Password Database seamlessly?
Fortunately, there are solutions that offer an alternative to vulnerable centralized security that stores authentication credentials in whole form, in a single place, and which is easy to compromise. A security framework that does not send authentication credentials across the web, or require that they be stored in a centralized database completely removes a company’s single largest cybersecurity threat.
New systems that are smart, safe and scalable allow an end user to prove their identity without sharing their secret information with a site (zero knowledge) – these solutions work for both mobile applications and web browsers. Moreover, they can protect both internal (employee) and external (customer) users for only a minimal investment, while providing an immeasurable return by protecting and potentially enhancing a company’s business and brand reputation.
Which forces the question, why are companies still using dangerous password databases to protect their most important assets?
MIRACL’s use of a zero knowledge proof (or process) allows any user or device to confirm their identity without revealing any valuable information about themselves. Learn about MIRACL Trust® multi-factor authentication, which features our zero knowledge proof.