With the increasing uptake of Multi-Factor Authentication (MFA), the age of the password seems to be coming to an end. MFA adds extra levels of security to log in and access platforms and devices, and Microsoft recently said that using the process blocks 99.9% of account hacks.
With 300 million fraudulent sign-in attempts to the company's cloud services every day, the software giant is in a good position to comment on the effectiveness of MFA. If a service provider supports multi-factor authentication, the tech giant recommends taking advantage of it, whether that might be in the form of a text message or something more complex, such as biometric data.
Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft, said: "Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA." He added that the old advice of using long or complicated passwords doesn't help keep accounts secure. Weinert first started work to ban passwords in 2016, after a security breach.
Although Microsoft's backing for MFA is a strong commendation, it isn't the first. In May, Google advised users to improve the security of their accounts by adding a recovery phone number to the details held, thereby indirectly enabling an MFA process based on SMS text delivery.
"Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation," the company said.
Now that Microsoft has dropped its password expiration policy for Windows 10 and Windows Server, users need not worry about making changes regularly – and they will no longer be repeatedly advised by their system to do so. Part of the reasoning is that a 30, 60, or 90-day time frame for changing passwords is little use if they are compromised because it allows hackers a significant window of opportunity to have unauthorised access – and passwords no longer take up to 90 days to crack, as per the age-old guidelines of cybersecurity.
The flip side of the argument is that if a password hasn't been stolen or discovered, there's no need to change it anyway. In addition to this, former Federal Trade Commission chief technologist, Lorrie Cranor, pointed out in 2016 that if a hacker knows a password, they are likely to be able to guess its replacement even when it is changed. Most people, when forced to come up with new passwords, will simply add a 1 or 2 at the end to help them remember it.
While the old advice was for strong passwords, the latest way of thinking is that multiple layers of complexity are the way forward to achieve the best level of cybersecurity. Here at GCC, part of our software support is based on giving our customers all the information they need to ensure their systems and data remain safe and secure. Talk to us today to find out more about why passwords are quickly becoming a thing of the past.