Using passwords is a weak method of digital protection, according to 92% of IT decision-makers in Australia.
Then why do we still use passwords? According to Mariam Nouh, cyber security researcher at the University of Oxford:
- Passwords are simple to use.
- Passwords are easy to replace (if forgotten or compromised).
- Passwords are cost-effective.
- Passwords have no device compatibility issues.
“The problem though is they can be compromised in so many ways,” she adds.
Passwords Are Not Enough
Here are the reasons why we need something more than just passwords for data protection:
1. Your password can be guessed.
In brute force attacks, attackers try to guess a password by using all possible combinations of characters. This is most effective against weak passwords, but it can also be successful against strong passwords if they are short enough. Once an attacker has compromised a password, they can use it to gain access to the user’s account and steal sensitive data or cause other damage.
2. Your password can be phished.
Strong passwords can help minimise your cyber risk, but they are virtually useless in some types of attacks. In phishing and social engineering, users are fooled into giving away their passwords. Once attackers have your password, it no longer matters whether it is long or complex. Microsoft’s Director of Identity Security Alex Weinert feels that “when it comes to composition and length, your password (mostly) doesn’t matter.”
3. Your password can be discovered in other ways.
Passwords can also be taken by attackers using keystroke logging, local discovery, extortion, or similar methods. Also, when you reuse passwords, your accounts are easier to compromise; once an attacker compromises one password, they will have access to your other accounts that use that password.
In most cases above, attackers getting hold of your password is just like them getting a copy of your door key – unless you replace your locks, they can easily get inside anytime. So, what’s the solution?
Multi-Factor Authentication (MFA)
For your home, you can replace the traditional lock and key with a smart lock or keyless lock. In the digital world, you can add one or two layers of protection using MFA. How does it work?
Multi-factor authentication is a method of verifying your identity that requires more than a password. It’s like installing a camera outside your gate or door so you can see if a person should be allowed in or not.
The different types of MFA are based on three main methods of verification:
|Something You Know||This involves a piece of information that only you know, such as a PIN or the answer to a security question. It’s the most common and traditional method of authentication, but also the most vulnerable to attacks, because hackers can guess, steal, or trick you into revealing your secrets.|
|Something You Have||This involves a physical device that only you have, such as a smartphone, a USB key, or a smart card. Your device can generate a unique code or token that you need to enter when you sign in, or it can communicate with the service via Bluetooth or NFC. Someone who knows your password still cannot access your account without your device.|
|Something You Are||This involves your biometrics like a fingerprint, a face scan, or an iris scan. Those can be scanned by a sensor on your device or by a camera on the service’s website. Even if someone has your password and your device, they cannot access your account without your physical presence.|
MFA can be a combination of two or more of the above. They make it much more difficult to break in because then they would need to compromise multiple factors all at once. With increased security also comes reduced risk of data breaches and improved compliance with industry regulations.
MFA & The Essential Eight
Multi-factor authentication is part of The Essential Eight, the set of mitigation strategies developed by the Australian Signals Directorate (ASD) to help organisations protect themselves against cyber threats. The eight strategies are:
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User application hardening
- Restrict administrative privileges
- Patch operating systems
- Multi-factor authentication
- Regular backups
Read more about it at “Cyber Security Best Practices: A Beginners Guide to The Essential 8”. By using all the Essential Eight mitigation strategies, you can significantly reduce your risk of being compromised by a cyber-attack. An experienced cyber security services provider should be able to help you implement the Essential Eight.
Best Practice: Use Passwords + MFA
Passwords serve a purpose (so no need to ditch them yet), but you should start using MFA as well. Here are some ideas:
- Carefully choose your authentication factors.
- Find a reliable MFA provider.
- Set up and test your MFA.
- Educate your users.
- Consider your MFA policies.
- Think twice about using SMS for OTP.
- Check compliance requirements carefully.
- Plan for lost devices.