Why Are We Still Using Static Credentials?

A recent newsletter from Risky Biz News describes CitrixBleed: "a Citrix vulnerability [that] has entered the dangerous stage of mass exploitation as threat actors are compromising unpatched devices all over the internet in a race with each other to steal their session tokens."

This is far from the first incident resulting from the exploitation of vulnerability inherent in static credentials like session tokens, and it won't be the last. So why are static credentials still in use? There IS a replacement: the ephemeral credential.

Static credentials can be easily compromised and are compromised with disastrous consequences every day. Compromise CANNOT happen with ephemeral credentials, because they exist only for the moment when they are being used, disappear, and can never be used a second time.

Static credentials have to be managed and protected. They must be indexed, stored, exchanged, and protected and are vulnerable at every step along the way. Ephemeral credentials are never stored or exchanged and don’t have to be protected.

Static credentials require intensive “cyber hygiene” and are the prime target for social engineering attacks. Ephemeral credentials require no cyber hygiene and cannot be targeted by social engineering, because no humans are involved in their creation or use and so have nothing to offer an attacker.

To learn how to move your cybersecurity from the failed past to the safe future, contact us here at QWERX.

Leave a Comment