Your Pa$$word Doesn’t Matter
We regularly preach (and practice!) about how important password complexity is, after all, its in our own interest as well as our clients that systems and applications aren’t easily broken into, so whilst we can’t force everyone to adhere to this rule, it certainly is overly encouraged.
Password managers are being used more and more, which take away the need to remember anything, let alone fear of complexity – none of us at Southern IT know a single password for any of our business or personal logins, because we just simply don’t need to and it makes life so easy in terms of abiding by ‘modern day password rules’.
You will constantly hear things like:
“Never use a password that has ever been seen in a breach”
“Use really long passwords”
“Don’t use your pets name and date of birth”.
“Passphrases are safest”
Unfortunately though, by focussing on password rules, rather than things that can really help – such as ‘Multi-Factor Authentication’, is just a distraction, because here’s the thing –
When it comes to complexity and length, your password (mostly) doesn’t matter!
Although I stress once more, DO NOT OVERLOOK THIS. A password must still be complex in order to cover as many angles as possible, but it isn’t a one fix, solves all, silver bullet and here’s why….
YOU will give the hacker your password, without even realising it!
And here is why your password (mostly) doesn’t matter. ALL these below techniques used to steal your passwords, render a complex one useless on its own:
So, if password complexity on its own isn’t enough, what should you be doing alongside that? Well other than being vigilant towards threats such as phishing emails and ensuring your staff are regularly trained, trained, trained, trained and trained again!, there is still something that has become so widely available now, but people just aren’t using it and that is Multi-Factor Authentication (MFA).
MFA will stop 99.9% of the attacks listed above.
MFA requires more than one login credential in order to grant the user access, such as a password and also a code from a phone or application. Let’s look at an example based on one of the threats in the table above:
An email arrives in an employee’s inbox, it’s a password reset for Office 365 and the staff member clicks the link, enters their login details and then nothing further happens. All seems harmless and genuine. Unbeknown to the staff member, they just allowed a keystroke logger into the system. This is some malware that will record all keyboard entries typed (even irrelevant ones) and report back to base. The criminal will then use some software that sifts through all data and pulls together a list of the username and password logins for all sites and applications accessed over a certain time period.
So as you can see, having the most complex password in the world won’t help in this scenario, as the exact letters/numbers/symbols etc, will be given to the attacker.
Now this is where MFA comes in. If it was turned on for all accounts that allowed it (more and more are starting to adopt this technology now), the attacker still wouldn’t be able to access anything, as they won’t have the users phone to get that missing code.
Important – MFA isn’t unbreakable, but you have to be physically targeted in order for it to hold much risk, as its very time consuming for the attacker and therefore they need to know its worth it. Majority of attacks aren’t targeted, users simply get caught up in ‘volume-based attacks’ where the criminal sends out thousands of emails at once, in the hope that statically some people will click.
Bottom line, your password on its own doesn’t matter, but MFA does! Based on studies, your account is more than 99.9% less likely to be compromised if you use MFA.
So YES, password complexity is important, else you’re just making life easier for them and opening yourself up to a potential Password Spray attack, but you should ALSO be using MFA where possible and there really should be no exception to this.