A focus of this year’s Cybersecurity Awareness Month theme – “See Yourself in Cyber” – are the simple actions that individuals and organizations can take to better protect themselves against cybercrime. Two of those steps are using strong passwords and enabling multi-factor authentication (MFA). It’s easy to see why.
Sadly, even in 2022 people are still using weak and easy to guess passwords like “12345,” “qwerty” and, yes, “password” to access critical accounts, systems and infrastructure. Some might think getting tricky and combining their birthday with their dog’s name creates enough complexity to prevent a cybercriminal from guessing their password. It doesn’t. Determined attackers have been known to comb the social media accounts of their intended victims for clues that could help them guess passwords. And there are plenty of tools to help hackers crack passwords that rely on formulas or words.
A recent joint alert from the US Cybersecurity and Infrastructure Security Agency (CISA) and the cybersecurity watchdogs of several other countries pointed to the role that weak security controls play in breaches and the need for organizations to harden credentials (among other recommendations). Many of the most prominent cybersecurity incidents– like last year's Colonial Pipeline ransomware attack – begin with attackers using a stolen password.
Today, good password hygiene starts with having unique, random and complex passwords for every account (at least 16 random characters, not dictionary words). Of course, that’s easier said than done. People generally have a hard time remembering passwords and, as a result, often resort to simple passwords, reusing passwords across accounts or slightly altering them (by, for instance, changing one character). Unfortunately, reused passwords can create multiple vulnerabilities in the event of a breach.
One way to minimize this problem is to encourage the use of password managers. They make it easy for users to create and keep track of complex passwords. While password databases are a prime target for theft and widely available online, if a hashed passwords databases is stolen, strong passwords can be harder to crack.
But good password hygiene is just the start of a strong authentication system. This is because once an attacker gains access to a password – either by guessing it, from buying it on the dark web, or via social engineering (such as phishing) – they have the “keys to the kingdom” if there isn’t an additional step in place for identity verification.
According to the latest Verizon DBIR, more than 40% of all breaches involve the use of stolen credentials; for breaches of internet-facing infrastructure like web and email servers, it’s higher than 80%. And by one estimate, the number of stolen and breached passwords on the dark web has skyrocketed to 24 billion, climbing year over year with no end in sight. That's where multi-factor authentication (MFA) comes in. It can stop many attacks before they get started even if attackers gain access to credentials. With MFA, users are required to provide both a password and at least one additional verification of their identity – such as by responding to a message on an approved mobile device, with a hardware key or with a biometric like a fingerprint – before they are granted access to networks or resources. This added step significantly increases the degree of difficulty for attackers and greatly reduces the likelihood that a compromised credential alone will be enough to launch an attack.
It’s becoming increasingly clear that MFA isn’t just a nice security feature to have, but instead, it’s a vital part of any security structure. The Verizon DBIR recommends MFA as the first thing SMBs should implement to protect themselves from cyberattacks. Similarly, CISA’s recent alert suggests the same. Even as passwordless solutions start to gain traction, passwords won’t be going anywhere anytime soon.
The good news is that MFA is affordable, easy to implement, and easy to use. That is, of course, if you’re talking about WatchGuard’s AuthPoint™ MFA solution. If you’d like to see how AuthPoint beats the competition, see this report from Miercom.