Despite years of predictions about its demise, the password is still the primary means of security and authentication in IT. While the internet is flooded with security blogs offering advice about what makes a “good” password, including not re-using them, making them memorable, the ideal length, etc., new research from Microsoft suggests that most of these rules simply don’t apply to most real-world scenarios.
In an article titled “Your Pa$$word doesn’t matter,” security researcher Alex Weinert breaks down the most common ways passwords are compromised, and what the relative impact password strength has on them.
Credential stuffing - This is when hackers get logins and passwords from other breached sites and try them on other systems. If you re-use a password on a breached site, its strength doesn’t matter, as a hacker most likely already has access to it.
Phishing - Hackers send millions of phony emails every day, typically designing them to coax users into providing their logins and passwords. The strongest password in the world won’t make a difference if it’s provided to an attacker.
Keystroke logging - While nowhere near as common as credential stuffing or phishing, there are strains of malware out there that record and transmit whatever you type. Once again, your password could be a long and random combination of characters and it still won’t offer any protection if it’s intercepted by a hacker.
Local discovery - When dealing with a large number of complicated passwords, some people opt to simply write them down or keep them in text files on their computers. Password strength doesn’t factor into your security if it’s written on a post-it and stuck to your monitor.
While the article does specify password spraying and brute force attacks as being two common means of hacking where passwords actually do matter, the larger point is that focusing too heavily on password strength is ultimately a distraction. Workplace policies such as requiring multi-factor authentication, robust security software, and training to identify phishing attacks can and should be a focus at least on par with not using the name of your cat to protect your computer.
Have questions about securing your office network? Contact Nodal today and we can help!