Question of the Fortnight
Passwords still matter, but not as much as you may think
What single action blocks 99.9% of security attacks?
If you’re tricked into typing your password into a fake site, then !2Free4f!ve5ix is as useless as 123456
Here’s a dispiriting thought: all those hours you’ve spent trying to come up with a strong password have been in vain. It doesn’t matter how many zeroes you use instead of Os, or how many 1s you replace with exclamation marks. Forget about spelling your mother’s maiden name backwards, or alternating lower- and upper-case letters.
That’s the assessment of Alex Wienert, Microsoft’s Group Program Manager for Identity Security and Protection. Actually, he says your password “mostly” doesn’t matter, which is an important caveat.
Writing online in July ( www.snipca.com/32652) he said that choosing one of the
most guessable passwords, like 123456 or Qwerty, does make a hacker’s job easier. They can use a ‘password spray’ attack in which they type such common passwords along with stolen email addresses and hope for the best.
Basic passwords like these are also easy to guess in brute-force attacks, in which hackers use automated software to try millions of passwords in quick succession.
But Weinert says that in other attacks, the complexity of your password doesn’t determine whether you’re safe. Take phishing scams, for example. If you’re tricked into typing your password into a fake site, then !2Free4f!ve5ix is as useless as 123456. Nor do passwords matter in ‘credential stuffing’ attacks, where hackers buy lists of them on the dark web. Microsoft says it detects 20 million such attacks on its accounts every day.
So if passwords don’t matter that much, what does? The answer is two-factor authentication (also known as 2FA, or two-factor verification). Like so many things in computing, it’s much simpler than its ugly name suggests. It’s a process of signing into an account using two methods, typically on two different devices.
The most common form is when logging into a web account on your computer triggers a one-off code sent to your phone. Only once you type this code on your computer will you be signed in.
It helps to think of this method as requiring something you know (your password), something you have (your phone or a security key) and/or something you are (your fingerprint). Each extra step makes it harder for hackers to sign in as you.
Microsoft says this procedure blocks 99.9 per cent of attacks. In a blog post published last month ( www. snipca.com/32651), it stressed the scale of the problem: every day there are 300 million fraudulent attempts to sign into an account; 167 million malware attacks; and 4,000 ransomware strikes.
The blog post is classic marketing - Microsoft highlights the problem, then
suggests the cure: its own two-factor authentication service, though just to confuse things it calls it multi- factor authentication (MFA).
Other tech giants encourage users to set up two-factor, including Amazon ( www. snipca.com/32657), Facebook ( www.snipca.com/32658) and Google ( www.google.com/ landing/2step).
Some of the world’s smartest hackers claim two-factor authentication is much more vulnerable than companies would like you to think. Last year Kevin Mitnick, once the FBI’S most wanted hacker, showed how scammers can bypass two-factor by sending victims to a fake login site and stealing their browser’s cookie. Google itself reported in March a rise in phishing attacks that sidestep two-factor.
You could say these hacks are the 0.01 per cent that two-factor doesn’t prevent. But for now, that’s as safe as it gets.