The password is dead. Long live the password.
As much as we’d like the above statement to be true, the password has not truly expired. The death of the password was first predicted almost two decades ago at the RSA Security Conference in 2004. Passwords were deemed unable to “meet the challenge” of securing critical resources and extinction seemed inevitable. This was 17 years ago. And, the death of passwords has been talked about at every security conference since.
Fast forward to today and, despite the rapid advancement of technology, we are still relying on passwords for security. As recently as this year, hackers breached Colonial Pipeline Co. with a single compromised password and walked away with $4.4 million after shutting down the largest fuel pipeline in the U.S. and creating gas shortages across the East Coast.
Why on earth are passwords still so frequently used as the only authentication factor? Although the password is alive (and stays that way because of convenience), its ability to protect your organization on its own is dead. We have entered the era of multi-factor authentication (MFA).
The Problem with Passwords Alone
Passwords are not inherently bad but, unlike other authentication factors, they are uniquely subject to human behavior. This is where the risk lies. We are all imperfect humans with unique priorities in life that are not always related to cybersecurity. Every individual is tasked with the management of dozens upon dozens of passwords across work and personal accounts throughout their lifetime. Keeping track of all of these passwords can be fatiguing.
What’s the path of least resistance for users? Creating passwords that are easy to remember. Reusing the same or similar passwords for multiple accounts. Sharing passwords with friends and family for account access (e.g., Netflix). Sharing passwords with colleagues for work resource access. Resetting forgotten passwords via email. Passwords are such a normalized part of our lives, the average person doesn’t think twice about these behaviors.
The following statistics about typical password use are concerning:
- 42% of people prioritize having a password that’s easy to remember over one that’s very secure
- 61% of people use the same password or a variation for both work and personal accounts
- 91% of people understand the risk of reusing passwords yet 66% admit to doing it anyway
From the IT admin side, the concept of user management with a password made sense for many years because it is a remarkably easy approach to controlling who has access to which IT resources. Unfortunately, the ease for end users and admins also equates to ease for individuals with malintent. Gaining access to restricted IT resources becomes as simple as obtaining a password, hence the massive issue with phishing and spear phishing.
Today’s malicious players have various strategies they leverage to acquire credentials. The most common include:
- Credential stuffing. Hackers use lists of stolen credentials in bulk automated login attempts. This strategy is largely successful due to password reuse across accounts.
- Password spray. Hackers acquire lists of users and try the same common password. This strategy is aided by the use of easy-to-remember passwords such as qwerty123.
- Phishing. Hackers attempt to gain credentials directly from the user, often by impersonating password resets or account issues via email. This strategy plays on our natural human emotions. Spear phishing emerged to be an even more targeted approach to securing credentials.
Millions and millions of passwords and accounts are probed every day, and as we have seen with thousands of major data breaches, hackers have been having success. Still to this day, credentials are involved in 61% of data breaches. Let’s face it, passwords are no longer enough to secure your organization.
It’s Time to Implement Multi-Factor Authentication
MFA, also known as 2FA or two-factor authentication, layers another authentication factor on top of the password during the login process and greatly enhances security. With MFA enabled, hackers need more than just a password to access an account. They also need access to the second factor, such as a randomly generated security code on the user’s smartphone or a physical hardware key. Since most hacking is done remotely, MFA can make an account virtually unhackable. In fact, the additional barrier provided by MFA can prevent 99.9% of account takeover attempts.
It’s no surprise then that the Center for Internet Security recommends MFA as the first choice for all authentication purposes. Password policies are a secondary security measure. No matter the size of the organization, all IT teams should consider implementing MFA on top of passwords to protect company resources effectively. When MFA is tied to a user’s system and their critical accounts such as email, the chances of an identity compromise decrease dramatically. MFA is a significant step forward in strengthening security and protecting your business from the costs of a data breach.
Today’s cloud identity management platforms are taking steps to implement both system and application-level MFA. By unifying device management and single sign-on (SSO) into a directory service, JumpCloud’s Directory Platform is leading the way. IT admins are able to layer the type of MFA that works best for their organization across all of the devices, applications, networks, and infrastructure they need to secure, while maintaining fluid user workflows. To gain a better understanding of how our platform can support your MFA implementation, try JumpCloud Free today for 10 users and 10 devices.