Five reasons single-password authentication should be banned
Marco Essomba is a Certified Application Delivery Networking and Cyber Security Expert with an industry-leading reputation. He is the founder of iCyber-Security (formerly AMPS), a UK-based firm that enables organizations in banking, financial technology, healthcare, retail, and the insurance sector to safeguard their digital assets. I use passwords a lot. I have different types of passwords. From strong, mega strong, and paranoid strong. Some I can remember, some I can’t – it drives me mad sometimes. Whether you like passwords or not, single-factor authentication (SFA) – also called single-password authentication – remains one of the most common first lines of defense used by various online systems to protect against unauthorized access to applications and data. Single-password authentication remains one of the most common attack vectors used by cyber-criminals to break into online systems. My view is that single-password authentication should be banned worldwide. All publicly accessible online systems that rely on single-password should be forced to use at least one form of strong multi-factor authentication (MFA). In this article, I cover five reasons why.
The growing threat of phishing, ransomware, and advanced persistent threats (apts)
With the rapidly growing number of sophisticated cyberattacks, such as phishing and ransomware, Single-factor authentication has had its day. One way to fight back against the rise in cyberattacks is by using strong MFA. It must be widespread and used as the most basic type of authentication mechanism. Unfortunately, many service providers and organizations still rely on single-factor authentication as their preferred method of authentication for online systems connected to the internet. This is very bad. Here are five reasons why:
1. Humans are naturally ‘lazy’ when it comes to passwords
When we are challenged to create a password, we often choose something we can remember easily. That usually leads to a weak password. Using password generators software can help create very strong passwords. However, various online systems still do not enforce strong password policies which means users can get away with creating very weak passwords.
2. Computing power is increasing dramatically
Password-cracking tools are getting more powerful. With the dramatic increase in computing power, these types of tools are now widely used by cybercriminals. Such tools are used to guess and break passwords quickly using brute force computational algorithms. And with quantum computing this power will increase exponentially, allowing password-cracking tools to break even the strongest password in a short period of time.
3. Some service providers still store unencrypted passwords
We hear in the news every day about various online systems breached and personal information stolen. One such case was LinkedIn. By stealing millions of passwords, cybercriminals used the password database to develop better tools for cracking passwords much faster.
4. Password renewals frequency
One way to keep your password safe is by changing it on a regular basis. Various online systems are enforcing this mechanism to strengthen security. However, forcing users to change password at short frequency leads to password fatigue. Unless strict passwords policies are enforced, users may often re-use previous passwords for convenience.
5. Password fatigue
Too many passwords. Too many online systems. Users are feeling the password fatigue. Many organizations are increasingly implementing single-sign-on (SSO) to allow users to log in once using a single-password and then gain access to several online systems using a chain of trust. However, if the initial password used to gain access is weak, the overall system is also weakened in the process.
Controlling unauthorized access with strong MFA
In summary, single-password authentication remains one of the most widely used mechanisms to protect various online systems against unauthorized access. Relying on single-password authentication alone is bad practice. I argue that it should be banned completely. All online systems accessible from the internet should be forced to adopt strong MFA policies – this will greatly reduce the rapidly growing number of cyberattacks worldwide.