With more and more reports of incidents involving theft of user login data, passwords are increasingly recognised as a weak point in security. In this post I explain what Multi-factor authentication is, and why you should combine it with strong passwords whenever you can.
The Password Problem
Passwords have been the main defence for protecting data for as long as computers have been in existence, and for years they did an OK job at securing your secrets. But with the explosion of online services and systems that can be accessed by anyone connected to the internet, the limitations of passwords have been exposed.
Weak Passwords
Having worked in the IT field for my whole career, I'm continually surprised by how careless some people are with the passwords they use.
I think Hollywood has a lot to answer for here. We've all seen films where somebody sits down to guess a password, typing in all sorts of names and dates that might relate to their target.
THIS IS NOT HOW IT WORKS IN REAL LIFE!
Putting aside the fact that most password breaches are caused by stolen credentials (see section below), if a password is going to be cracked, it won't be by a person sitting in front of a computer. Programs written to crack passwords will go through different combinations of letters, numbers and characters a lot faster than a person ... and they don't get tired!
The more types of characters used (letters, numbers and symbols) and the longer your password, the longer it takes for a computer to crack it.
The following bitwarden site will let you type in a password and will tell you both how strong it is, and more importantly, how quickly it is likely to be cracked ... you'll be surprised!
https://bitwarden.com/password-strength/
Stolen Credentials
So while weak passwords are bad, it's still a lot of time and effort for criminals to obtain account details in any volume by cracking passwords.
These days one of the biggest risks is theft.
It could be a phishing campaign targeting admins or even just theft by an employee, there are many ways that account details can be stolen.
Often as not, these then end up being sold on mass to anyone willing to buy them.
You can check usernames against known lists of stolen credentials on the site below:
Have I Been Pwned: Check if your email has been compromised in a data breach
This is why you're advised to change your passwords often. If your account has been stolen, changing your password will at least limit any damage.
This leads us to the next issue ...
Re-Use of Passwords
We all know we shouldn't do it, we've all been told time and time again, not to do it. Yet so many people use the same passwords across multiple sites and login systems.
It's understandable. We're told to use complicated passwords that nobody can guess, and that will be difficult to crack. We're told to change the passwords regularly. We're told not to write them down.
This is getting all too complicated, nobody can remember the number of passwords you need on a daily basis, so it's natural that you stick to one or two that you can easily remember.
Problem is, the bad guys know this too. Once they have your login information from one place, the first thing they will do (or rather get a computer to do for them) is to try the same credentials against every other system they can think of.
We recently had a case where a client was sent a convincing phishing email asking them to download their BT invoice. The email wasn't from BT ... but it was very convincing. After entering their BT credentials things went downhill fast!
By the time we got involved, they had lost access to BT, email, facebook and a host of other systems ... each one had the password reset, the password recovery email had been changed and more.
Getting those accounts back took ages and cost our client a lot of money! Also, their email account had sent out emails to everyone in their contact list saying they had an emergency and needed money transferring to an account (fortunately most people contacted to make sure, or just ignored it, but the criminals made money out of at least one contact that we know of).
So passwords are not great! What can we do about it?
First of all, there are various password managers available that will remember your passwords, auto-fill passwords in websites and generate strong passwords for you to use.
We should all be using a password manager to make complex and unique passwords easy for us.
Some of the most well know are:
- LastPass
- bitwarden
- 1password
(full disclosure, we resell LastPass business product and use it ourselves, if you want to talk more about password managers in a business setting, please get in touch)
MFA/2FA
Multi-Factor authentication or MFA is the (relatively) new kid on the block that massively reduces the risks associated with passwords.
You may have also come across the term 2-Factor Authentication, which is the same thing and is an interchangeable term.
MFA works on the principal that in order to access an account you need two things:
- Something you know (i.e. your password)
- Something you have or possess (e.g. your mobile phone)
So how does it work?
When you enable MFA on an account and login you will need to provide your password, as you're used to.
However, you will also need to provide something that is dependant on something you have in your possession. Often, this second bit of information will come from your mobile phone as this is something you are likely to have on you.
What types are there?
There are various forms of MFA implemented by different sites and providers, some of which are:
- Email - you might be sent an email with a code you need to enter as part of the login process.
- SMS - you could be sent a text message with a code to enter.
- Phone call - relatively uncommon, but you may choose to have an automated phone call where a code is read out to you which you then enter.
- Authentication App - probably the most secure option (and quickest) is to use an authentication app such as Microsoft Authenticator, Google Authenticator. LastPass Authenticator, 2FAS etc...
While MFA is becoming increasingly available on systems, it's not everywhere yet. However, most of the big companies, and the ones where your security is most important now incorporate MFA in their login solutions.
you will be required to enable this feature on sites before you can use it, and while it does add an extra step to logging in, we strongly recommend turning it on wherever you can.
Why is it more secure?
So now anyone who wants to get into your account needs two things; your password (which we've already shown is not as secure as you might think) and access to a device which either receives a code or has an authenticator app on it.
With only one of these, they will not be able to login.
There are a few gotchas to consider.
MFA is not perfect, and is not an excuse to use weak passwords. It should be considered as an extra layer to strengthen security rather than an excuse to have weak passwords.
Not all MFA methods are equal. For instance emails, and to a lesser extent text messages, can be intercepted. So MFA is not perfect, and in rare cases it can still be cracked.
If you are able to we do recommend using an authenticator app as once installed it is specific to you and your device (which in itself has finger print or pin security to get into).
Summary
Passwords have their problems, due to the nature of how they work and how people use them, there are inherent weaknesses in password based security.
While organisations and companies around the world look for better alternatives, and we all look forward to a future without passwords, we have to accept they're here to stay for a while yet.
Turning on MFA wherever you have the option to do so, will greatly increase your security and the safety of your data, reduce risks of identity theft, and in the end could save you from financial loss.
I hope you've found this information useful and informative. If you're a business and would like to talk about how you can improve the security in your organisation, please get in touch.