Earlier this year, Alex Weinert warned that “Your Pa$$word doesn’t matter,” In that he spelled out the reasons that even strong passwords aren’t necessarily effective.
“When it comes to composition and length, your password (mostly) doesn’t matter,” Microsoft’s Weinert said. He should know: the team he works with at Microsoft defends against hundreds of millions of password-based attacks every day.
“Remember that all your attacker cares about is stealing passwords…That’s a key difference between hypothetical and practical security.” — Microsoft’s Alex Weinert
In other words, the bad guys will do whatever is necessary to steal your password and a strong password isn’t an obstacle when criminals have a lot of time and a lot of tools at their disposal.
In a table, he gave a list of reasons why hackers are often successful. For example:
Password breach : passwords hacked from other websites
Risk: massive breaches happen all of the time. Because they already have your password and because passwords are hard to think up and get reused (62% of users admit reuse), hackers can break into more than one of your accounts. More than 20 million accounts probed daily in Microsoft ID systems.
Password Spray” aka guessing/ or AI based brute forcing
Phishing : fake emails — sometimes very authentic-looking — purportedly from a reputable company that you trust.
Solution for the above (an exhortation aimed more at tech companies than users): rely more on biometrics such as fingerprint (or a “cognitive fingerprint”*), voice, or face identification, according to Mountain View, Calif.-based Synopsys, which, among other things, is involved in software security. “Those recognition mechanisms are stored only on the user’s device. Passwords are ‘shared secrets’ that reside on both the device and on a server that, as we all know, can get hacked,” Synopsys said.
But Synopsys also adds this: If you make your passwords long and complicated, use a mixture of letters, symbols, and punctuation, periodically change them, and don’t use the same password for more than one account, “you [will] be an outlier (since the majority of users don’t do them)” and more secure than the vast majority of people.
Phone-based Multi-Factor Authentication isn’t secure either:
MFA based on phones, aka publicly switched telephone networks or PSTN, is not secure, according to Weinert.
(What is typical MFA? It’s when, for example, a bank sends you a verification code via a text message.)
“When SMS (texting) and voice protocols were developed, they were designed without encryption…What this means is that signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device,” Weinert wrote.
Solution: use app-based authentication. For example, Microsoft Authenticator or Google Authenticator. An app is safer because it doesn’t rely on your carrier. The codes are in the app itself and expire quickly
0 Comments