World Password Day
Why Passwords Are Not Enough in 2021

Organizations need to look beyond usernames and passwords for security. Here is why passwords are not enough security in this era.

World Password Day: Why Passwords Are Not Enough in 2021

In what has become the biggest breach of all time, 3.1 billion unique pairs of clear text email and passwords were leaked in February 2021. The size of the breach makes it one of the most notable examples of how hackers easily compromise passwords. Another example is the breach involving more than 500,000 Zoom accounts. They would later be listed for sale in dark web hacker forums.

According to Cyble, the cybersecurity firm that discovered the attack, each account contained a username and registered email address. They also had a personal meeting URL, host key, and password. For the Zoom incident, the case is peculiar as this is a service used by many employees working from home.

These two cyberattack incidents are evidence that attackers are no longer interested in hacking to carry out data breaches, Instead, they now aim at exploiting compromised, stolen, or weak credentials. It’s no wonder that more than 21 million passwords are floating on the Dark Web. Proof of identity has now become the new security measure. It helps in mitigating cyber-attacks that aim at impersonating legitimate users.

The Problem With Passwords as a Stand-Alone Security Measure

Organizations need to look beyond usernames and passwords in enhancing the security of their systems. Security experts tend to agree that even the strongest password is weak, despite having a combination of symbols, numbers, letters, and upper and lower cases. By using phishing techniques or installing malware on a device, hackers can easily compromise a device and access confidential data.

In organizations where hacking rewards could be high, hackers will invest in brute force methods to crack passwords. These could include using complex algorithms and considerable computing power. With sufficient time in hand, it’s highly likely for them to crack any password.

Here are more reasons why passwords are not enough in this technologically advanced era.

The Best Employees Can Create the Worst Security Risk

While most employees don’t intentionally leak out security credentials, they easily fall victim to phishing lures. Many of them also use weak passwords and repeat them across multiple accounts. On average, most employees use the same password for 16 different business accounts. Worse still, they share passwords with colleagues and teammates over insecure platforms like email and Slack. One explanation for weak passwords is password overload. Users have too many passwords to remember. Therefore, they prefer easy passwords like 12345.

Another common mistake that employees make is scribbling their passwords on sticky notes. They then attach them to their laptops or computer screens. This could be risker than they could even think as the sticky notes could fall in the wrong hands.

Further compounding the risk of password insecurity are employees who work from home. They use personal devices to access work-related accounts. Sadly, only a small percentage (45%) use multifactor authentication when accessing work apps and networks. In the same breath, only 45% of companies have taken the necessary steps to protect devices and equipment that belong to employees.

Non-Adherence to Password Policies

Strict password policies are supposed to eliminate the use of weak credentials, but this is not always the case. A basic tenet of password management requires employees to change their passwords within a given schedule. Some companies have a periodic password change setting to enhance security. However, employees shudder at the thought of changing passwords across many accounts. These frequent changes can make employees create weak passwords. Alternatively, they only make a few tweaks to the previous ones.

Additionally, password policies are not always closely monitored or implemented at the workplace. While 67% of companies have a password policy in place, only 34% of these organizations strictly ensure that employees adhere.

Inputting usernames and passwords.

Firewalls Have Loopholes

The combination of firewalls and passwords is not as effective as you may think. As long as you connect any computer to the internet, it is vulnerable to attacks. Firewalls serve to provide a gateway between the user and the internet to prevent an attack. For the longest time, they have been the best protection against internet threats.

Unfortunately, firewalls are not without some drawbacks. One disadvantage in relation to your cybersecurity is that they are defenseless against some malware. They easily allow some types of Trojans in the form of trusted data to enter your system.

Even with firewall software installed, you still need another form of security to protect your data from attack. In this case, consider installing anti-malware software to scan and remove the malware.

How to Enhance Your Systems Security?

Passwords are not enough for cybersecurity.

Companies and individuals alike should not rely on passwords alone for the security of their systems. Security professions should add a layer of security by implementing multifactor authentication (MFA).

Research shows a decreasing reliance on passwords alone over the past few years. Businesses have increased their use of MFA and strong authentication.

There’s no one-size-fits-all approach to MFA, but there’s a wealth of choices organizations can select. The alternatives they go for should reflect their needs and present the least friction for users.

Popular MFA options include:

  • One-time passcodes are delivered to the email or through an SMS message. However, security professionals need to remember that OTPs can be intercepted through SIM-swap or port-out scams. As such, they should strictly send OTP via email.
  • Security questions are the simplest form of authentication. Using one or more security questions that only the user knows the answer can be effective.
  • Phone call with PIN verification. Use this method with any phone number available from the office, mobile, enterprise directory, or home phone number. The user validates the PIN once they answer the phone.
  • Mobile push notifications to a mobile authentication app for Android devices and iOS provide simple verification of authentication.
  • Smartcards provide the highest security level once validated and verified against the corporate directory of an organization.

Final Thoughts

Cybercrime is a worldwide concern, and weak passwords are hackers’ best point of access to your system. Do not allow yourself or your organization to fall victim to security threats. Instead of relying on passwords alone for your accounts, move a notch higher. Multifactor authentication is a reliable way of adding an extra layer of security to your system. Choose an approach that works best in your situation and remain vigilant about your online security.

Contact us for more information.