Skip to main content
Uncategorized

Why Passwords Are Not Enough

By January 1, 1970January 10th, 2024No Comments

Do you also have a common password for all your online accounts? 

 

Is your organization relying only on passwords as a stand-alone security measure? 

 

Do you also like to keep your passwords short and simple?

 

If your answers were a yes to these questions, the massive data breach incidents shared below would make you rethink your systems & data security approach for preventing any cybersecurity incidents.

 

passwordblogtitle

 

In October 2017, Yahoo confirmed that hackers had gained access to its 3 billion users’ log-in credentials! This data breach would have also compromised other services linked to their Yahoo email ids.

 

In November 2018, Marriott International announced that attackers had stolen data of approximately 500 million customers -including their mailing address, passport number, phone number, email address, birth date, and gender. For some, the attackers also stole their payment card numbers along with their expiration dates!

 

In May 2019, Canva detected a malicious attack on their systems. Unfortunately, the hackers got their hands on 139 million usernames, names, email addresses, countries, and, optionally, user-supplied data about their city and homepage URL

 

According to CSO, February 2021 saw what is being called the mother of all breaches – 3.1 billion unique pairs of email and passwords were leaked online! 

 

These are only just a few of many data breaches occurring globally. With the advent of the digital tsunami, there has been a record-breaking increase in cyber-attacks coupled with sophisticated levels of infiltration. Attackers are now aiming at exploiting compromised or weak credentials.

 

Scary? Right! 

 

Let us look at some options that can help organizations save millions of dollars; yes, you read that right – millions of dollars! That’s what a data breach can cost a company.

 

 In addition to: 

1) Locking an account after a certain number of incorrect log-in attempts 

2) Frequently changing passwords 

3) Adhering to password policies 

4) Not using one password for all online accounts

 

Cybersecurity experts at Reis Informatica strongly recommend implementing Two Factor Authentication or Multi-Factor Authentication for enhanced security of the systems and data.

 

What is two-factor authentication (2FA)?

 

Two-factor authentication is a security process in which the user’s identity is cross-verified through two other proofs of identity. Just entering the password will not suffice. Users will be prompted to enter the second proof of identity – entering the security code it had sent to the user’s mobile or email. Verification apps, biometrics, or a physical key – something the legitimate user owns, can also constitute the second step of identity verification.  

 

With the Covid-19 induced remote working culture, many users work from unsecured networks and are an easy target for intruders to hack. To safeguard their data, organizations are now racing towards 2FA. Google, Apple, Social Media Platforms, E-commerce websites, online banking websites have already started using 2FA to protect user’s sensitive and confidential information on the web.

 

You must be thinking – adopting 2FA will ensure 100% data security?

 

 We would say – 2FA is a reliable system for stopping any unauthorized access, but it is not perfect. It does help counter brute force and dictionary attacks. However, social engineering attacks – phishing & spear phishing still pose a slight risk. A better solution than 2FA would be Multi-Factor Authentication.

 

What is Multi-Factor Authentication (MFA)

 

 MFA is confirming a user’s identity using three or more factors.

For logging in successfully, a user’s credentials must come from three or more different factors. We have explained these factors below – 

 

1) The first factor is Knowledge or What you know and could include your Password/ PIN/ Passphrase – Something exclusively known to you.

 

2) The second category or factor is Possession or What you have. In addition to the password, the system will also send a unique code, one-time password to a physical device you possess, such as – mobile phone, physical token, fob, or it will ask for a specific smart card.

 

3) The third factor is Inheritance or Who you are. This authentication category uses identifiers/biometrics unique to an individual, such as fingerprints, retina scans, voice, or facial recognition, to access a system or an account.

 

After carefully evaluating the relative costs and benefits, an organization can zero down the best MFA combination that would meet its requirements and goals. At times, users get bogged down by the clumsy log-in steps. Still, as MFA provides a significantly enhanced level of online security, organizations should encourage their customers and employees to use it.

We hope this information equips you better in planning your data security channels. To get your organization’s cyber health assessed by Reis Informatica’s team of cybersecurity professionals, feel free to contact us today.

 

Sources:

https://yahoo.tumblr.com/post/150781911849/an-important-message-about-yahoo-user-security

https://news.marriott.com/2018/11/marriott-announces-starwood-guest-reservation-database-security-incident/

 https://www.canva.com/help/article/incident-may24

 https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html

https://www.telesign.com/home

https://www.wired.com/insights/2013/04/five-myths-of-two-factor-authentication-and-the-reality/

https://www.imperva.com/learn/application-security/2fa-two-factor-authentication/

https://www.techrepublic.com/article/two-factor-authentication-cheat-sheet/