According to CSO online, more than a billion plain text passwords from third-party data breaches are freely available on the internet. Combined with the human tendency to reuse passwords for multiple services, and it goes without saying that it is likely your users' corporate passwords have already been hacked.
In 2017, NIST quietly changed their password standards. Previously, password guidelines required of the user a long, complex password that is changed at least every 90 days. What experts have discovered, however, is that people have horrible password creation strategies.
Instead of creating an entirely new password when asked to reset their passwords, most users just change their password slightly and, in most cases, do so in a predictable manner. For example, imagine your password is HuDaFl?77
This is an okay password. It is actually derived from a phrase you can easily remember, and it incorporates mixed case, a special character and numbers. Furthermore, “HuDaFl” is not in any dictionary. This password would take light-years to break using brute force. (For those of you wondering, the phrase is “Have you Driven a Ford lately?” which was Ford’s jingle in the early 1980s).
The problem arises when this user is asked to change their password. We have learned that most users will change their password from the above to HuDaFl?78
While this password observed in a vacuum is just as good as the first password, there remains an huge issue - the user, in this case, uses this password for all of their websites, and some of those websites have been hacked. The first password can now be found on the dark web.
Even though this user has followed instructions and changed their password, any amateur hacker can guess the second password. This is just one of the many reasons why using only complex passwords with change requirements isn’t enough.
Two-factor authentication has been in use for a number of years. It requires "something you know" and "something you possess" in order to authenticate your access. People ask me all the time why they can’t simply use two passwords. That is because that would be two of the “something you know” category. Part of the authentication must be something that you are holding physically. We see this when you go to an ATM. Your card is “something you possess” and your PIN is “something you know.”
Enterprises have been using this type of authentication for years. You may have heard names such as RSA SecurID and Symantec VIP. Users of these carry around cards that have one-time passwords on them that are entered alongside the users’ password.
Most importantly, two-factor authentication means that a hacker can’t use a stolen password to access your account because it is only half the authentication requirements.
The 2017 Verizon Data Breach Investigations report states that 63% of all attacks involved stolen passwords. Two-factor authentication clearly reduces this risk. We strongly suggest all businesses guard their priceless data with two-factor authentication.
The great news is that the new NIST standard is for users to change their primary password less but to always use two-factor. Users will appreciate changing their passwords less often, and the enterprise is safe from stolen passwords being used to breach its system.
Read part II of this post here.