In 2023, identity fraud cost consumers and businesses more than $23 billion.
This number has been rising in tandem with the amount of information available online. From the sharp uptick in social media use to the digitization of critical business assets, there’s no shortage of valuable data for malicious actors to obtain and exploit.
If attackers gain access to sensitive data, they can encrypt it and demand a ransom for release. They can steal information that lets them access and use financial, insurance or medical accounts. They could also impersonate users to open new credit cards or file fake tax returns.
The biggest challenge for businesses? It only takes one. One successful phishing email or one set of stolen credentials for attackers to gain access and begin causing chaos. While passwords remain the most prevalent protective approach, they’re not perfect — here’s a look at where passwords may create problems, what companies can do to improve password protection and how solutions such as multi-factor authentication help reduce total risk.
The Problem(s) With Passwords
Passwords work because they’re simple and familiar. Passwords fail for the same reason; if they’re too simple and too familiar, it doesn’t take much work for attackers to breach business or personal accounts.
Consider that in 2023, the three most common passwords were “123456,” “123456789,” and “qwerty”. While easy to remember, they’re also incredibly easy to guess. Pair these passwords with common login credentials that use a first name/last [email protected] format, and attackers have everything they need to compromise business or customer accounts.
Passwords are also problematic because users tend to repeat them across multiple services. While this means fewer passwords to track, it also opens the door to multiple breaches that give attackers more data to use.
Keeping Passwords Protected
Despite inherent risks, passwords aren’t going anywhere. Given both their prevalence and portability, passwords will remain part of cybersecurity best practices for the foreseeable future.
As a result, companies and customers must improve password protection. While there’s no way to create perfect password defense, three steps can help reduce compromise risk.
1) Regularly Change Passwords
Keeping the same passwords is easy, but risky. Consider an e-commerce platform that suffers a breach. If attackers gain access to usernames and passwords, they could use this data to compromise accounts or sell it on the dark web to would-be criminals.
By regularly changing passwords every 3-6 months, users limit the risk of compromise since previous passwords are no longer valid.
2) Don’t Repeat Passwords
It’s also important to select unique passwords for every service or application used. While this reduces the extent of potential compromise, it can also be challenging for users to keep track of hundreds of passwords. Here, customers and companies can benefit from password management tools that offer a secure storage vault that can only be accessed by authorized users.
3) Choose Strong Passwords
Finally, strong passwords can help keep attackers out.
Users can create strong passwords by incorporating symbols and numbers along with letters. It’s also a good idea to avoid repetition — don’t use the same number or letter more than three times in a row.
Another option is creating a passphrase rather than a password. These phrases contain three or more words that may seem random but have some type of interconnection that’s known to users but almost impossible for attackers to guess.
For individuals, stand-alone password management tools may offer sufficient protection. For organizations, more robust IT support solutions may be the best choice to help secure multiple user accounts across internal networks and external services.
The Future Is Multi-Factor
While passwords remain a core component of common security practice, companies don’t have to rely on credential-based access alone. Instead, they can layer on additional security solutions such as multi-factor authentication (MFA).
Despite the long name, the concept of MFA is simple: By requiring users to provide an additional piece of information — or “factor” — to verify their identity, multi-factor authentication frustrates attacker efforts.
Factors take three common forms: Something users know, something they have and something they are. What they know are passwords. What they have could be a physical token such as a USB stick, or a one-time code sent via an authenticator app or using SMS. What they are could include fingerprints, facial recognition or voice identification.
Consider a successful credential theft. Armed with usernames and passwords, attackers attempt to access financial applications or corporate networks. After entering this data, however, criminals are met with a request for a one-time text code or are required to provide their fingerprints. Without this data, they fail verification checks and can’t steal data. Multiple attempts to gain access may also result in IT teams being notified, allowing them to address the issue directly.
Putting It All Together
As the only line of defense, passwords don’t pass the test. In combination with MFA solutions, however, both users and businesses can reduce the risk of compromise and keep critical data safe.