The password hassle: a strong one is no longer enough

Cybersecurity is stretched to the limit, with so many of us working from home and more and more companies having a digital presence. Needless to say, a strong password is a must, though not enough to protect yourself or your employer from intrusion.

Countless reports have raised a red flag about just how bad our passwords are. According to Nordpass, 73% of the world’s most popular passwords can be cracked in less than a second using brute force attacks. CyberNews researchers have analyzed 15.2 billion passwords, and here are the five most common ones: 123456; 123456789; qwerty; password; 12345.

Independent polling by the UK’s National Cyber Security Centre (NCSC) shows that a worrying 15% of Britons use their pet’s name to protect their online accounts.

The truth is, even if you keep good cyber hygiene, use strong passwords, and change them often enough, you are still vulnerable, especially your accounts that are not protected by at least the 2-factor authentication (2FA) method. Many cybersecurity experts say even that is not enough but urge to switch to multi-factor authentication (MFA) or biometrics to sign in. The latter, of course, comes with its flaws, and nothing is foolproof.

2FA is the key

“From my perspective, passwords have always been a real hassle, - Jake Madders, Co-director of Hyve Managed Hosting, told CyberNews. - Obviously, you need to make them complex to be secure. It means you have to remember complex strings. And we have so many places we have to log in to, and it is recommended that we have different passwords everywhere.”

You can use password managers or store your passwords, for example, on Apple iCloud that you can unlock with faceID for your convenience, but the truth is, having only a password is not enough.

Madders believes that businesses are going to end up enforcing 2FA.

“Malicious actors can brute force passwords and break-in. If you have 2FA, it is irrelevant whether they have a password or not. 2FA is the key to the future,” he said.

Many experts have claimed that even 2FA is no longer enough. For example, SIM-based user authentication is considered not safe because SIM swap frauds happen at scale. Though, it is still better than using only a password.

Therefore, entities should consider MFA, which is supposed to be the most effective tool against cyberattacks. 2FA is a subset of MFA, only the latter requires more factors for authentication (something you know, something you have, and something you are.)

The Achilles’ heel of biometric authentication

Because of the lockdowns, many companies moved at least some parts of their businesses online - started selling their goods, organizing home deliveries, etc. It added on the already present cybersecurity issues. Many online shops require you to register to buy goods or services.

The good thing, Madders said, is that they are probably using some payment gateway, such as PayPal, so it adds a layer of security.

“But there is still a lot of password usage, which is risky. The safest thing for the general public would be to use something like their iPhone and store their passwords on iCloud, which has 2FA on it. As long as you are using a decent password safe and you are using proper passwords, you are a bit safer,” he said.

With 2FA, you will get a notification that someone is trying to log into your account from another device.

2FA, based on your biometric data, such as your face or fingerprint, is also not a silver bullet. “I have read about people being able to bypass that on the iPhone, which is pretty scary,” Madders recalled.

Also, some people are reluctant to use their biometric data online. In Europe, there’s an incentive to ban facial recognition. In the United States, it is met with resistance, especially by people from diverse backgrounds.

But Madders seems to have succumbed to the idea that our biometric data, alongside our personal information, will be further used for our and businesses’ convenience.

“Once your signature or your face structure is stored somewhere, there is nothing you can do. It is just already so far entwined in society, and social platforms are already profiling our kids, so the reality is that everyone is already in the system. It is already so far done. It is part of life. I guess we have to get used to it,” he said.

Some experts have repeatedly announced the death of passwords and urged to lean towards biometric methods of authentication. Users share and reuse passwords because they create a frictional experience when, for example, users have to abandon their purchases because of the forgotten passwords. No wonder fingerprint or face recognition seems like a more user-friendly option.

While biometric scanners have gotten increasingly good using things like 3D facial recognition, infrared scanners, pulse oximetry, there’s nothing foolproof about these mechanisms, and they can be and have been spoofed.

“With a detailed enough representation of any of these biometric markers, it is theoretically possible to spoof them and, of course, they can’t be changed once these representations are compromised,” Mike Wilson, founder and CTO of Enzoic, told CyberNews.

Do not overshare

“Nothing is foolproof. It is impossible to fully secure everything,” Madders said. He urges businesses to implement user-friendly safety solutions, such as 2FA. Even though it might not provide the ultimate security, this is something that businesses can easily implement, and people can use it without much friction.

Even though some might argue that password is an outdated concept, it is not dead yet, so better create a strong one for each account you have.

Want to be more secure? Avoid oversharing your data, which could be used, for example, for a phishing attack.

“I do not put a lot of stuff, upload my personal photos, and try to discourage my children from doing it as well,” Madders said.

Our data, scrapped from social media platforms, such as Facebook, LinkedIn, or Clubhouse, is used for advertising purposes, and companies are making a lot of money selling our data.

“For me, the big thing is the use of your data. You are feeding this machine with data every day and enabling a corporation to make billions of dollars in advertising revenue,” Madders said.

More from CyberNews:

Has your password been leaked online? Find out with CyberNews password leak checker tool

Three-quarters of the most popular passwords can be cracked instantly

The Achilles’ heel of biometrics: is it safe to ditch passwords?

Are passwords still fit for purpose?

Careless love? 15% of people use pet names as password

Use our Strong Password Generator. Create strong passwords that are completely random and impossible to guess


Gitanjali GulveSehgal ( Gigi )
prefix 3 years ago
2FA can also be hacked. There is the SS7 exploit on phones, also phone sim card change scam, Yubi Keys were also found vulnerable etc. An ultimate solution would need to demonstrate ability to overcome all of these
Leave a Reply

Your email address will not be published. Required fields are markedmarked