Microsoft Warns: A Strong Password Doesn’t Work, Neither Does Typical Multi-Factor Authentication
The Director of Identity Security at Microsoft has been warning about the inefficacy of passwords and more recently about standard Multi-Factor Authentication or MFA.
Passwords don’t matter
Earlier this year, Alex Weinert warned that “Your Pa$$word doesn’t matter,” In that he spelled out the reasons that even strong passwords aren’t necessarily effective.
“When it comes to composition and length, your password (mostly) doesn’t matter,” Microsoft’s Weinert said. He should know: the team he works with at Microsoft defends against hundreds of millions of password-based attacks every day.
“Remember that all your attacker cares about is stealing passwords…That’s a key difference between hypothetical and practical security.” — Microsoft’s Alex Weinert
In other words, the bad guys will do whatever is necessary to steal your password and a strong password isn’t an obstacle when criminals have a lot of time and a lot of tools at their disposal.
In a table, he gave a list of reasons why hackers are often successful. For example:
—Password breach, i.e., the bad guys already have your password.MORE FOR YOUMicrosoft Confirms Serious Windows 10 Password Problem—Here’s The 5 Step FixWhy Huawei’s New Update Is Seriously Bad News For Android UsersWhy You Should Stop Sending Texts From Your Android Messages App
Risk: massive breaches happen all of the time. Because they already have your password and because passwords are hard to think up and get reused (62% of users admit reuse), hackers can break into more than one of your accounts. More than 20 million accounts probed daily in Microsoft ID systems.
—“Password Spray” aka guessing
Risk: “Sometimes 100s of thousands broken per day. Millions probed daily.”
—Phishing. i.e., fake emails — sometimes very authentic-looking — purportedly from a reputable company that you trust.
Risk: “works…people are curious or worried and ignore warning signs.”
Solution for the above (an exhortation aimed more at tech companies than users): rely more on biometrics such as fingerprint (or a “cognitive fingerprint”*), voice, or face identification, according to Mountain View, Calif.-based Synopsys, which, among other things, is involved in software security. “Those recognition mechanisms are stored only on the user’s device. Passwords are ‘shared secrets’ that reside on both the device and on a server that, as we all know, can get hacked,” Synopsys said.
But Synopsys also adds this: If you make your passwords long and complicated, use a mixture of letters, symbols, and punctuation, periodically change your password, and don’t use the same password for more than one account, “you [will] be an outlier (since the majority of users don’t do them)” i.e., you will be more secure than the vast majority of people.
Phone-based Multi-Factor Authentication isn’t secure either:
MFA based on phones, aka publicly switched telephone networks or PSTN, is not secure, according to Weinert.
(What is typical MFA? It’s when, for example, a bank sends you a verification code via a text message.)
“I believe they’re the least secure of the MFA methods available today,” Weinert wrote in a blog (via ZDNet).
“When SMS (texting) and voice protocols were developed, they were designed without encryption…What this means is that signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device,” Weinert wrote.
Solution: use app-based authentication. For example, Microsoft Authenticator or Google Authenticator. An app is safer because it doesn’t rely on your carrier. The codes are in the app itself and expire quickly.
Originally published by Christopher Pappas on November 14th (2020). Microsoft Warns. [online] Forbes Available forbes.com