I use passwords a lot. I have different types of passwords. From strong, mega strong, to paranoid strong. Some I can remember, some I can’t. It drives me mad sometimes. Whether you like passwords or not, single-factor authentication (SFA), also called single-password authentication, remains one of the most common first lines of defence used by various online systems to protect against unauthorised access to applications and data.
Single-password authentication remains one of the most common attack vectors used by cyber criminals to break into online systems. My view is that single-password authentication should be banned worldwide. All publicly accessible online systems that rely on single-passwords should be forced to use at least one form of strong multi-factor authentication (MFA). In this article I cover 5 reasons why.
The growing threat of phishing, ransomware, and Advanced Persistent Threats
With the rapidly growing number of sophisticated cyber attacks such as phishing and ransomware,
single-factor authentication has had its day. One way to fight back against the rising cyber attacks is by using strong multi-factor authentication. It must be widespread and used as the most basic type of authenticating mechanism. Unfortunately, many service providers and organisations still rely on single-factor authentication as their preferred authentication mechanism for online systems connected to the Internet. This is very bad. Here are 5 reasons why:
- Humans are naturally ‘lazy’ when it comes to passwords
When we are challenged to create a password, we often choose something that we can remember easily. That usually leads to a weak password. Using password generators software such as LastPass or Norton Identify Safe can help to create very strong passwords. However, various online systems still do not enforce strong password policies which means users can get away with creating very weak passwords.
- Computing power is increasing dramatically. Password-cracking tools are getting more powerful
With the dramatic increase in computing power, password-cracking tools are now widely used by cyber criminals. Such tools are used to guess and break passwords very quickly using brute force computational algorithms. And with Quantum Computing this power will increase exponentially, allowing password-cracking tools to break even the strongest password in a very short period of time.
- Some service providers still store unencrypted passwords
We hear in the news every day about various online systems being breached and personal information being stolen. One such case was LinkedIn in 2012. By stealing millions of passwords, cyber criminals used the password database to develop better tools for cracking passwords much faster.
- Password renewals frequency
One way to keep your password safe is by changing it on a regular basis. Various online systems are enforcing this mechanism to strengthen security. However, forcing users to change password at short frequency leads to password fatigue. Unless strict passwords policies are enforced, users may often re-use previous passwords for convenience.
- Password fatigue
Too many passwords. Too many online systems. Users are feeling the password fatigue. Many organisations are increasingly implementing Single-Sign-On (SSO) to allow users to login once using a single-password and then gain access to several online systems using a chain of trust. However, if the initial password used to gain access is weak, the overall system is also weakened in the process.
With the increasing number of cyber attacks against all types of organisations worldwide, single-factor authentication (SFA) also called single-password authentication, remains one of the most widely used mechanism to protect various online systems against unauthorised access. Relying on single-password authentication alone is bad practice. I argue that it should be banned completely. All online systems accessible from the Internet should be forced to use strong multi-factor authentication (MFA). This will greatly reduce the rapidly growing number of cyber attacks worldwide.
Here are known security vendors providing two-factor authentication: RSA, F5, Vasco, and Gemalto. Examples of free and commercial online service providers using strong multi-factor authentication are: Google, Microsoft Office 365, Box, and ShareFile.
The article originally appeared on iCyber-Security.