What is Multifactor Authentication?
Passwords are responsible for preventing unauthorized access to devices, system software and stored personal or business data. However, as passwords can be deciphered or obtained through forms of infiltration, it has become apparent that a password alone is not enough to ensure the security of an account. Therefore, Multifactor Authentication (MFA) is an important component to be used alongside password security and perhaps one day, will replace passwords entirely.
MFA is a second layer of security that is set up to ensure that only the intended user can provide the requirement to unlock the account.
This requirement to unlock the account can be setup via a mobile device, email, physical keycard, hardware fob or biometrics. The most common form of MFA used is an authenticator application that is installed and accessed on the user’s mobile device. This application is linked to the user’s accounts and provides a unique six-digit code that changes every sixty seconds for each account. This application also possesses a password, pin, or biometric form of security such as a fingerprint or facial recognition lock, increasing the difficulty for infiltrator to breach.
Implementing an MFA increases the security of an account considerably, as the design aims to make certain that the only individual who has access to the key is the user, and that there is a low likelihood of the key being stolen or compromised. This allows for less risk of consequences from human error, misplaced passwords, or lost devices, and instead allows for organisations to possess more confidence in any digital initiatives. Having an MFA for an account means that even if the password is compromised, the account is still secure. In saying this, awareness of the correct practices and the diligence to avoid potential threats is still important to maintain the integrity of this form of security.
MFA is the future of account security; however, passwords are still relevant and important to implement correctly as there are still accounts that only use a password or single form of authentication. This means that vulnerabilities can still exist within accounts with a singular weak password. Therefore, the importance of good practices in the creation and management of passwords is still great.
Why are Passwords Necessary?
Passwords are a free, easy, and effective basic standard of security that is implemented by default in most instances. However, unless done correctly, they can be quite ineffective as infiltrators can mitigate and decipher the password with relative ease. Implementing weak or reused passwords that are not stored securely are examples of bad practices that can lead to the infiltration of sensitive data. Therefore, to prevent a password’s presence from being impractical, within this article are recommendations on best practices to be incorporated along with some other useful information to promote cyber security awareness.
Hacker Infiltration Methods
There are multiple ways in which an infiltrator can obtain or decipher a user’s password, most of which are preventable if the appropriate measures and practices are implemented proactively.
A brute force attack is an algorithm that deciphers a password by attempting every possible combination. Depending on the strength of the password, this can take from mere seconds to centuries. A slight variation of this method is called a dictionary attack. This attack follows the same method, however, instead of moving through all possible combinations until it is deciphered, it only attempts commonly used passwords and slight variations of them. The software used to perform these attacks can be easily and freely downloaded online, increasing the threat of this method.
A phishing attack is when an infiltrator impersonates a trusted person or organisation to lure the user into installing malicious content. This is performed via phone calls, text messages, emails, and other communication platforms. The malicious content installed can steal or copy data, lock data away or remain undetected and monitor activity.
Number of Characters
The number of characters in a password is one large factor that contributes to its overall strength and difficulty for an infiltrator using a brute force algorithm to decipher. For reference, a password that contains from 5 to 10 characters can be broken within minutes to days and a password that contains from 11 to 13 can take months to years. A minimum of 16 characters is recommended, as it would take current technology centuries to decipher if only lowercase characters were used. The greater the length of the password, the greater the strength.
Range of Characters
On a keyboard, there are 4 different types of characters that can be used when creating most passwords. They are numerical characters, lowercase characters, uppercase characters, and special characters. When a combination of these characters are used to create a password, it increases the strength greatly. This is because, if all character types are permitted for use, there are approximately 90 different characters that can be used in each character slot of a password. This means that a brute force algorithm, for a 16-character password, would be required to attempt up to 2.348543×10108 possible character combinations.
Using different passwords for each account is a very good practice, as regardless of the strength, there is always a possibility that the password can be obtained by other means. Social engineering, malicious spyware or the data of the account’s organisations becoming compromised are all examples that can obtain a password without deciphering it. For this reason, having a different password for each account is vital, as it means that if one account is compromised, the infiltrator does not inherently have access to all accounts. By having multiple different passwords for each account, it ensures the safety of each of them individually.
When concluding using an account or device, it is a very good idea to log out, as there will be no prevention from the data stored being accessed. Restricting the usage of saving passwords on web browser for the auto-fill function will also reduce the risk of any passwords being compromised. This is because if the web browsers organisation is compromised, the passwords stored may also be compromised.
A password manager is an application that can be installed on a device that stores and protects passwords for all the different accounts the user possesses. This removes the burden of remembering them all and the insecurity of having them stored in an unsecure location. A password manager will have a password to access it that is referred to as the master password. The risk of using a password manager is that it stores all the information required to access all accounts and data making it a holder of very sensitive data. However, selecting a reliable password managing application that ensures up to date security measures, along with using a strong master password and multifactor authentication can be implemented to mitigate this risk. Software updates for password managers should be installed regularly as an added level of security insurance.
It is not recommended to use a web-based password manager such as Google Chrome, or Microsoft Edge as they possess a larger range of potential vulnerability points that an infiltrator could exploit to obtain the data stored. Using a web-browser password management system also only allows for passwords for web-based accounts to be stored.
Using a program such as BitWarden is beneficial as the organisation is specilised in security measures and are continually updating their security methods to meet protection standards. Access can only be achieved through a desktop application or web-browser extension using a master password and two-factor authenticator. Passwords for accounts of any type can be stored and have an easy-to-use interface and tools.