A strong password does not work, nor does specific multi-factor authentication

The director of identity security at Microsoft has been warning about the inability of passwords and more recently about standard multi-factor authentication or MFA.

Passwords don’t matter

Earlier this year, Alex Weinert warned that “your Pa $$ word doesn’t matter,” in which he cited reasons that strong passwords are not necessarily effective.

“When it comes to composition and length, your password (mostly) doesn’t matter,” Microsoft’s Weinert said. He should know: The team he works with at Microsoft defends against crores of password-based attacks every day.

“Remember that all your attackers are stealing passwords … This is an important distinction between imaginary and practical security.” – Microsoft’s Alex Weinert

In other words, the bad guys will do whatever is necessary to steal your password and a strong password is not a hindrance when criminals have a lot of time and a lot of tools at their disposal.

In one table, he gave a list of reasons why hackers are often successful. for example:

Password violation, Ie, the bad guys already have your password

Risk: Large scale violations occur all the time. Because they already have your password and because it is difficult to think and reuse passwords (62% of users reuse), hackers can break into more than one of your accounts. More than 20 million accounts are examined daily in the Microsoft ID system.

– “Password sprayAka guessing

Risk: “Sometimes 100 thousand breaks per day. Millions of people check in every day. “

PhishinYes, fake emails – sometimes very authentic ones – from a reputable company that you trust.

Risk: “Works … People are anxious or worried and ignore warning signs.”

According to Mountain View, California-based Synopsis, the solution for the above (more targeted at tech companies than users): rely more on biometrics such as fingerprints (or “cognitive fingerprints”), voice, or facial recognition. , Among other things, is involved in software security. “Those recognition mechanisms are only stored on the user’s device. Synopsis stated that passwords are ‘shared secrets’ that reside on both devices and servers, as we all know it could be a hack. ”

But Synopsys also says: If you make your passwords long and complex, use a mix of letters, symbols, and punctuation marks, change them from time to time, and use the same password for multiple accounts. Do not use “you [will] Be an extrovert (since most users don’t do them) “and more secure than many.

Phone-based multi-factor authentication is not secure:

According to Weinert, the phone-based MFA, aka the publicly switched telephone network or PSTN, is not secure.

(What is a typical MFA? This is when, for example, a bank sends you a verification code via a text message.)

“I believe they are the least secure of the MFA methods available today,” Weinert wrote in a blog (via ZDNet).

“When SMS (texting) and voice protocols were developed, they were designed without encryption … This means that signals can be interrupted by anyone who is switching networks or the radio range of a device Can reach within, ”Weinert wrote.

Solution: Use app-based authentication. For example, Microsoft Authenticator or Google Authenticator. It is safe because it does not depend on your carrier. The codes are in the application itself and expire quickly.

Comments or suggestions can be sent to me via Twitter message directly on Twitter.com/mbrookec or [email protected]


Leave a Reply