Warning! The Identity Director at Microsoft Alex Weinert has been cautioning us since last year about the inadequacy of passwords. He warns us that “Your Pa$$word doesn’t matter,” telling us his reasons that even the “strong” ones aren’t guaranteed to be effective. 

His team at Microsoft work in defending against millions of password-type attacks each and every-day. So, he knows that “when it comes to composition and length, your password doesn’t matter.” 

Firstly, Weinert says that all your attacker cares about is stealing passwords…That’s a key difference between hypothetical and practical security.”  

That’s to- say, criminals will do what it takes to steal your password whether it’s a strong one or not. It’s not a deterrent for these guys when they have the time and all the tools required, at just the touch of a button.  

Alex Weinert gives reasons as to why the cybercriminals are successful. So, here they are listed below: 

Password breach, i.e., the bad guys already have your password. 

Risk: Severe breaches happen regularly. Why do they happen all the time? 

Firstly, it’s because the bad guys already have your password.  

Secondly, passwords get reused, and reused. Let’s face it, they’re hard to think up. A massive 62% of users admit to reusing passwords. As a result, hackers can break into more than one of your accounts. We make it so simple for them. 

There are more than 20 million accounts probed daily in Microsoft ID systems. 

“Password Spray” aka guessing 

Risk:  100s of thousands of passwords are broken per day. After all there’s “millions probed daily.” 

Phishing. i.e., fake emails are often very authentic in appearance. As they act like their coming from a company that you know & trust. 

Risk: “works…people are curious or worried and ignore warning signs.” 

What’s the solution? This answer is more for the tech company than an individual user. Mountain View, Calif.-based Synopsys, who are involved in software security. They suggest “using more biometrics such as fingerprint or cognitive fingerprint which include monitoring various behaviours such as keystroke patterns, mouse use, sentence structure and use of language voice, or facial recognition.” 

Why should you use biometrics? To clarify this Synopsys says, “those recognition mechanisms are stored only on the user’s device. Whereas “passwords are ‘shared secrets’ that reside on both the device and on a server”. And we all know, servers can get hacked. 

However, Synopsys also go on to say that if you make your passwords: 

  1. Long 
  1. Complicated 
  1. Use a mixture of letters, numbers, symbols, punctuation  
  1. Change your passwords regularly 
  1. Don’t reuse passwords 

You’ll be more secure than most people !!! 

Phone-based Multi-Factor Authentication isn’t secure either 

Recently, Weiner also included standard MFA to his “isn’t secure” either. But the disclaimer here is using MFA is much more secure than not using it at all. However, MFA based on phones, such as publicly switched telephone networks or PSTN, is not secure. 

For example, the MFA where say a bank sends you a verification code via a text message. Weinert warns these are the “least secure” MFA methods available today,” he wrote in a recent blog (via ZDNet). 

Weinert goes on to explain that when SMS and voice protocols were introduced, they came without encryption. In other words, the signal “can be intercepted by anyone who can get access to the switching network or within the radio range of a device.” 

The solution is to use app-based authentication such as Microsoft or Google Authenticator. To clarify, the codes are in the app itself and constantly change. So, it’s safer because they don’t have to rely on a phone carrier and be concerned about the interception of codes. 

While your password may not be totally secure having a strong complicated password for each account is best practice. And even though MFA standard isn’t totally secure having MFA is better than having no MFA at all. In conclusion, tighten up your password habits and use an MFA app to make it not so simple for the hackers.