By Julian Scott of Kaseya
Decades ago, hackers learned how to crack passwords, especially the ones that are overly simple or obvious. Did you know the most popular passwords are the most insecure, such as password1, 123456 and even default. Hard to believe but these are still all too commonly used. Weak passwords are simple to hack. But other approaches to hacking are nearly as easy. With social engineering, a hacker can masquerade as an IT admin and simply ask for your password over the phone or through email. This works far too often.
Then there are brute force attacks where a hacker tool simply makes password attempts automatically one after another until one works. In fact, password hacking is so sophisticated that it took only ten days for a hacker group to crack 11 million passwords from the notorious Ashley Madison web site.
Some IT departments force users to have complex passwords and change them regularly. That certainly helps, but it is not a perfect solution and is still vulnerable to social engineering and other hacker attacks that can nab passwords. No matter how complex you make a single password, so-called single authentication will always be crackable. However, adding another level of authentication, two-factor authentication (2FA) or more levels, through multi-factor authentication (MFA), can make passwords truly hacker-proof.
With 2FA, you need to prove your identity through two steps; usually these steps are a password and something that only you can access. This could be something you know, such as your mother’s maiden name, or something you have, such as a fingerprint or retina. When commercial web sites do 2FA, they sometimes send an email or text message to your phone that you then input online to log in.
Why Safeguarding Your Email Password Is So Crucial
Many security experts believe that email is the one app most often compromised. This can happen through the methods we’ve discussed previously, as well as through phishing attacks or malicious password-stealing malware attachments.
Email passwords are sought after because they can be the keys to the kingdom. With just your email password, a hacker can likely get into your other accounts since most end users reuse passwords. And, today, email links directly to social media, so a hacker can pretend to be you or gain enough personal information about you for identity theft. The other issue is that your email is often used by services to reset a lost password. A hacker can access other accounts even without knowing your other accounts’ password by having the password-reset link sent to your email ― which they can already access.
The Limits Of Low-End 2FA Tools
One way you can tell 2FA is so important is that more web sites, especially those for financial institutions, now use it. With 2FA, you first enter your username and password, but before you get to access your account you need to answer a personal question, input a number texted to your phone or emailed, click an image you have chosen from many, or use other authentication means.
One of the great things about 2FA and MFA is how user-friendly they are. How hard is it to remember your mother’s maiden name? Low-level approaches to 2FA, however, can still be hacked. Using the example above, a cyber criminal can access your private information and find your mother’s maiden name. The text message sent to your phone can also be compromised. For instance, a hacker could call the phone company, act as if they are you, and have calls forwarded to them. Now they have those text messages that provide that second level of authentication.
The biggest vulnerability of low-level 2FA comes about because users often forget passwords, especially complex ones, while web sites want to give access back as fast as possible. 2FA provided by web sites should be far stronger. As users, though, we need to protect ourselves more vigorously. Don’t choose “things you know” that can be easily found, such as your mother’s maiden name. And be wary of social engineering. That means never giving out your password or second level of authentication.
When implemented correctly and using a quality solution, 2FA and MFA will not only keep your digital infrastructure safe, it will do so without inconveniencing you or your employees. In fact, in most organizations, it doesn’t take long after implementation for staff to fall right back into their old routines. Which is fine, of course, because those old routines are now much safer.
You may want to use 2FA/MFA in conjunction with Single Sign On (SSO) to make it easier for employees to sign into your company’s system. SSO allows a user to have direct access to all of the platforms they use, but they only need one credential to access them.
It is like having a single, very secure key to access 100 different doors with 100 individual locks.
Julian Scott is the Vice President and General Manager of Global Identity Services at Kaseya. He oversees sales, marketing and product management for Kaseya’s AuthAnvil Identity and Access Management solution. He specializes in enterprise software, channel development, SaaS delivery models, performance optimization and product management with more than 25 years of high tech experience.
The views, opinions and positions expressed within this guest post are those of the authors alone and do not represent those of CBS Small Business Pulse or the CBS Corporation. The accuracy, completeness and validity of any statements made within this article are verified solely by the authors.