RISKS OF TRADITIONAL PASSWORD SYSTEMS IN THE CONTEXT OF ENTERPRISE DISTRIBUTED INFORMATION SYSTEMS

V. A. Dokuchaev
Network Information Technologies and Services, MTUCI, Moscow, Russia, v.a.dokuchaev@mtuci.ru2 International Telecommunication Union (GCBI ITU), Geneva, Switzerland

I. A. Safonov
Network Information Technologies and Services, MTUCI, Moscow, Russia

J. Rahmani
Network Information Technologies and Services, MTUCI, Moscow, Russia , j.rahmani@mtuci.ru

DOI: 10.36724/2664-066X-2025-11-4-15-24

SYNCHROINFO JOURNAL. Volume 11, Number 4 (2025). P. 15-24.

Abstract

Traditional password-based authentication systems continue to be used in modern corporate distributed information systems, despite their vulnerabilities. This article examines the threats associated with traditional password systems, including the psychological aspects of their use, technical shortcomings, and regulatory gaps. Examples of real-world attacks, such as phishing campaigns and credential compromises in industrial information networks, are discussed. Particular attention is paid to password protection in industrial Internet of Things (IIoT) and smart grid systems. Practical recommendations for improving security are offered, including the use of multifactor authentication, credential rotation, the elimination of preset passwords, and the implementation of the Zero Trust concept.

Keywords authentication; vulnerabilities; password; IIoT; Smart Grid; Zero Trust; cybersecurity

References

[1]           Verizon Data Breach Investigations Report [Online], 2022. Available: https://www.verizon.com/business/resources/reports/dbir (accessed 03.01.2025).

[2]           V. A. Dokuchaev, “Digital transformation: New drivers and new risks,” 2020 International Conference on Engineering Management of Communication and Technology (EMCTECH 2020): Proceedings, Vienna, October 20-22, 2020. New York: Institute of Electrical and Electronics Engineers (IEEE), 2020, p. 9261544. DOI: 10.1109/EMCTECH49634.2020.9261544.

[3]           OWASP Authentication Cheat Sheet [Online]. Available: https://cheatsheetseries.owasp.org (accessed 17.01.2025).

[4]           Google Security Blog [Online], 2019. Available: https://security.googleblog.com (accessed 12.02.2025).

[5]           NIST Special Publication 800-63B. Digital Identity Guidelines: Authentication and Lifecycle Management [Online]. Available: https://doi.org/10.6028/NIST.SP.800-63b (accessed 07.01.2025).

[6]           ENISA Report on ICS Security [Online]. Available: https://www.enisa.europa.eu (accessed 10.01.2025).

[7]           RFC 6238 (TOTP): Time-Based One-Time Password Algorithm [Online]. Available: https://tools.ietf.org/html/rfc6238 (accessed 13.01.2025).

[8]           Zero-Trust Network Architecture [Online] / Forrester Research, 2020. Available: https://www.forrester.com/zero-trust/ (accessed 15.02.2025).

[9]           NIST Special Publication 1108R3. Framework for Improving Critical Infrastructure Cybersecurity. Gaithersburg: NIST, 2020.

[10]         E. S. Yusifov, V. A. Dokuchaev, “Why Kubernetes security problems require a zero-trust strategy,” Information Society Technologies: Proceedings of the XVII International Industry Scientific and Technical Conference, Moscow, March 2-3, 2023. Moscow: Media Publisher, 2023, pp. 116-118.

[11]         J. Rahmani, “Study of risk-management methods in the infocommunication system of an energy-producing company of the Islamic Republic of Iran,” T-Comm, 2022, vol. 16, no. 8, pp. 30-37. DOI: 10.36724/2072-8735-2022-16-8-30-37.

[12]         V. A. Dokuchaev, N. S. Kalmykov, “Aspects of applying segment routing in software-defined networks,” Prospective Technologies in Information Transmission Media: Proceedings of the 14th International Scientific and Technical Conference, Vladimir, October 6-7, 2021. Vladimir: Vladimir State University named after A. G. and N. G. Stoletovs, 2021, pp. 164-168.

[13]         J. Rahmani, “The main approaches to evaluating the effectiveness of applying the risk analysis and management methodology at energy company,” T-Comm, 2022, vol. 16, no. 9, pp. 46-55. DOI: 10.36724/2072-8735-2022-16-9-46-55.

[14]         N. S. Kalmykov, V. A. Dokuchaev, “Analysis of the main methods for ensuring network security in software-defined networks,” Telecommunication and Computing Systems 2020: Proceedings of the International Scientific and Technical Conference, Moscow, December 14-17, 2020. Moscow Technical University of Communications and Informatics. Moscow: Goryachaya Liniya – Telecom, 2020, pp. 63-70.

[15]         V. A. Dokuchaev, A. A. Kalfa, J. Rahmani, “Typical structure of the corporate infocommunication system of an energy-producing company (IRI),” III Scientific Forum “Telecommunications: Theory and Technology” TTT-2019: Proceedings of the XXI International Scientific and Technical Conference, Kazan, November 18-22, 2019. Vol. 1. Kazan: Kazan National Research Technical University named after A. N. Tupolev, 2019, pp. 298-299.

[16]         V. A. Dokuchaev, A. V. Shvedov, A. V. Ermalovich, “The “Internet of Things” concept as the basis for the development of information and communication technologies (ICT),” Current Problems and Prospects for Economic Development: Proceedings of the Jubilee XV International Scientific and Practical Conference, Gurzuf, November 17-19, 2016 / Crimean Federal University named after V. I. Vernadsky. Gurzuf: IP Brovko A. A., 2016, p. 298.

[17]         J. Rahmani, V. A. Dokuchaev, “Analysis of trends in the development of the communications industry in the Islamic Republic of Iran,” Information Society Technologies: Proceedings of the XIV International Industry Scientific and Technical Conference, Moscow, March 18-19, 2020. Moscow: Media Publisher, 2020, pp. 300-301.

[18]         E. A. Petinova, N. Kh. Odinaev, “Phishing analysis: statistics, methods and solutions in cybersecurity,” Youth. Science. Future. 2024: Collection of Papers of the II International Scientific and Practical Conference, Petrozavodsk, April 22, 2024. Petrozavodsk: IP Ivanovskaya I. I., 2024, pp. 143-153. DOI: 10.46916/24042024-3-978-5-00215-361-9.

[19]         Order of the FSTEC of Russia of December 25, 2017 No. 239 “On the approval of requirements for ensuring the security of significant objects of the critical information infrastructure of the Russian Federation” [Online]. Available: https://fstec.ru/dokumenty/vse-dokumenty/prikazy/prikaz-fstek-rossii-ot-25-dekabrya-2017-g-n-239 (accessed 21.04.2025).

[20]         Kaspersky. Kaspersky Lab analytical reports 2024 [Online]. Available: https://securelist.ru/kaspersky-incident-response-report-2024/112080/ (accessed 21.04.2025).

[21]         Decree of the President of the Russian Federation No. 250 of 01.05.2022 “On additional measures to ensure the information security of the Russian Federation” [Online]. Available: http://publication.pravo.gov.ru/Document/View/0001202205010023 (accessed 21.04.2025).

[22]         Positive Technologies. Outcomes of IS incident investigations in 2021–2023 [Online], 2023. Available: https://www.ptsecurity.com/ru-ru/research/analytics/outcomes-of-IS-incident-investigations-in-2021-2023-years (accessed 02.02.2025).

[23]         Solar. Attacks on Russian companies in Q2 2023 [Online], 2023. Available: https://rt-solar.ru/analytics/reports/3610/ (accessed 13.02.2025).

[24]         V. Yu. Statyev, V. A. Dokuchaev, V. V. Maklachkova, “Information security in the Big Data space,” T-Comm, 2022, vol. 16, no. 4, pp. 21–28. DOI: 10.36724/2072-8735-2022-16-4-21-28.

[25]         V. A. Dokuchaev, “The impact of new information and communication technologies on the privacy of personal data,” Current Problems and Prospects for Economic Development: Proceedings of the XXIII International Scientific and Practical Conference, Simferopol–Gurzuf, October 17-19, 2024. Simferopol: IP Zueva T. V., 2024, pp. 12-15.

[26]         Positive Technologies. Owners of 15% of IoT devices have never changed the default password — Xakep [Online]. Available: https://xakep.ru/2017/06/20/iot-stats/ (accessed 04.03.2025).

[27]         Threats to IoT devices in 2023 | Securelist [Online]. Available: https://securelist.ru/iot-threat-report-2023/108088/ (accessed 10.03.2025).

[28]         European Union Agency for Cybersecurity (ENISA). EU Cybersecurity in 2024: Insights from ENISA Latest Report [Online]. Available: https://cyble.com/blog/eu-cybersecurity-in-2024-insights-from-enisa-latest-report/ (accessed 14.02.2025).

[29]         Threats to the energy sector. Analytical report. CISA, 2023 [Online]. Available: https://www.cisa.gov/sites/default/files/2024-09/FY23_RVA_Analysis_508.pdf (accessed 13.02.2025).

[30]         V. A. Dokuchaev, “Analysis of international recommendations on transport security under digital transformation,” Trends in the Development of the Internet and Digital Economy: Proceedings of the VI International Scientific and Practical Conference, Simferopol–Alushta, June 1–3, 2023. Simferopol: IP Zueva, 2023, pp. 15-17.

[31]         V. A. Dokuchaev, “Some aspects of transport security under digital transformation,” Theory and Practice of Economics and Entrepreneurship: Proceedings of the XX International Scientific and Practical Conference, Simferopol–Gurzuf, April 20-22, 2023 / Edited by N. V. Apatova. Simferopol: Crimean Federal University named after V. I. Vernadsky, 2023, pp. 31-34.

Contacts

Address
EBENDORFERSTRASSE 10, TOP 6B,
1010 VIENNA, AUSTRIA
Editor.media.publisher@gmail.com

Opening hours
Monday — Friday:
10: 00–18:00

Institute of Radio and Information Systems (IRIS)

Vereinsdaten:
Name: Institut für Radio- und Informationssysteme – IRIS
Sitz: Wien (Wien)
ZVR-Zahl: 1186829669
Ringgold ID 613098
Zustellanschrift: 1010 Wien, Ebendorferstraße 10/6b

Land: Österreich

Copyright © 2026 · All Rights Reserved · INSTITUTE OF RADIO AND INFORMATION SYSTEMS

Natural Theme v4 by Organic Themes · WordPress Hosting · RSS Feed · Log in