It's Cybersecurity Awareness Month. Do You Know Where Your Passwords Are?
The combination of username and password alone, the standard for online security for decades, has shown that it is woefully inadequate to combat cyberattacks.
Passwords are easily compromised
Passwords alone are insufficient for protecting sensitive data primarily due to users’ lack of security hygiene and aggressive attacks by cybercriminals.
- Weak passwords – Users continue to select simple passwords that are easy for attackers to guess, such as “password” or “12345678”, or familiar words, like the names of pets or family members. These types of passwords offer little, if any, protection against a cyberattack. Enforcing complex passwords in an organization can backfire as users will often write these passwords down.
- Password reuse – Another problem occurs when people reuse the same password for multiple accounts. Once a username-password combination is compromised, all other accounts using the same credentials are at risk.
- Phishing – Phishing attacks try to trick users into revealing their login credentials to attackers by using legitimate-looking emails or websites. Phishing techniques have become more sophisticated, so even tech-savvy users have fallen victim to these attacks.
- Brute force – Automated tools systematically try username-password combinations until they get one that works. This method is that much easier when users have weak passwords.
- Data breaches – Cyberattacks against companies have yielded large-scale data breaches that include thousands of passwords. Even the most complex password is rendered ineffective in these situations.
The common problem in these situations is that username-password combinations represent a single point of failure. Once compromised, they are exploited by attackers or sold on the dark web for other attackers to use.
MFA, Conditional Access, and Zero-Trust
Many businesses are reluctant to move away from password-based authentication because their existing infrastructure supports it, and their staff is accustomed to it. However, several solutions that businesses can adopt right away can significantly enhance security with minimal impact on the company or the user: Multifactor Authentication (MFA), Conditional Access Policies, and Zero-Trust.
- Two-Factor Authentication (2FA) and Multifactor Authentication (MFA) – MFA uses multiple forms of authentication before allowing a user to log in. 2FA, a form of MFA using only two factors, might combine a traditional username-password login with another form of identification, such as a verification code sent via email or text message, providing an independent form of identifying the user making the login attempt. Even if a person’s password is compromised, MFA will prevent most invalid login attempts. Microsoft provides MFA for free with Azure Active Directory (Azure AD) clients.
- Conditional Access Policies – Access to critical systems or applications can be restricted based on various access policies such as time, location, device, or IP address. For example, administrators can limit users from logging into an application remotely if the login attempt occurs after hours or originates outside the country. Conditional access policies work with other login methods to ensure that only authorized individuals are granted access to sensitive company systems and data. Conditional access is included with premium Azure AD plans.
- Zero Trust—In a Zero-Trust model, any access request is considered a threat, and the user is forced to authenticate every time they attempt to log into a system. Although Zero-Trust takes more effort from IT than MFA and conditional access in additional to a commitment to change from the user community, this model ensures that only authenticated users are granted access to sensitive systems and data.
Moving beyond passwords
New passwordless and keyless authentication methods are proving more effective than passwords alone. One thing is certain: companies that rely solely on usernames and passwords for the security of their systems and data are at high risk of cyberattacks and the loss of valuable data.
While MFA, Conditional Access, and Zero-Trust aren’t 100% effective, they go a long way toward securing sensitive systems and data. Ideally, multifactor identity policies will utilize three elements: Something you know (a password or PIN), something you have (a phone, computer, security key), and something you are (face, fingerprint, or another biometric identifier).
Identity authentication and access are important elements of a company’s cybersecurity plan. Adopting more secure authentication policies and educating users on protecting themselves and the company are critical to avoid falling victim to cyberattacks.
Learn more
Contact ArcherPoint to learn more about how you can secure your business from cybercriminals.
Be sure to attend Matthew’s session, Help! I’ve Been Hacked! Overcoming and Preventing Ransom Attacks, on Wednesday, October 16, at Community Summit North America 2024 in San Antonio, Texas.