Strong Passwords and 2FA Not Enough to Keep Your Accounts Secure

Use strong passwords and two-factor authentication (2FA) to protect your accounts.

How many times have you heard this? For the last few years, that was the general security advice. But industry experts now note it is no longer enough.

A hacker armed with an ordinary desktop computer can attempt 1000 password guesses per second. With more sophisticated technologies, that number can be even higher. So as cybercriminals gain access to more advanced tools, it poses your security a more significant risk. Having random passwords and 2FA enabled is not enough to protect yourself.

What's in a Password?

Most websites require you to use 8+ characters long combination of upper and lowercase letters, numbers, special characters as your password. These passwords may be a hassle to remember, but they usually make users feel safe. The key word is “feel.”

Since people have a hard time remembering such passwords, they're more likely to reuse them in different places online. If hackers crack one password, they've now unlocked several accounts.

Weak and reused passwords are already easy enough for hackers to crack. But cybercriminals can compromise even the most robust passwords. There is still an inherent flaw in the way sites store users’ passwords.

IT experts have noted that most of us "overestimate the ability of websites to protect their passwords." It only takes one data breach to put all your data at risk.

If you take a step back, you can see the issue. From the end-user to the website platform and even at the host/ISP level, passwords have security flaws. The solution is to move away from this type of authentication.

Isn’t Two-Factor Authentication Good Enough?

No. Two-factor authentication has increased in popularity in the last few years. Both 2FA and Multi-factor authentication (MFA) attempt to increase account security. They use a one-time password (OTP) number via email or SMS message as the second step of logging into an account.

It may feel like 2FA enhances your security by a lot. But it is, primarily via SMS message, much easier to trick than you realize.

In targeted attacks, hackers use SIM jacking or SIM swapping tools to access OTP numbers. To do this, cybercriminals convince the mobile company to port your phone number onto another device. They use data they’ve already accessed via social media and other channels to convince them it’s you who’s asking. Then they enter your email address and can receive your OTP number.

In other cases, hackers can look into session cookies and other information to see 2FA details almost entirely in the open. No matter how you approach it, 2FA is susceptible to attack.

Moving Towards Greater Security

Cybercriminals can beat every mainstream security tool in use today. You can’t blame only the issues in human memory and the common mistakes people make. There are inherent flaws in systems like 2FA and how websites store data. It's time to move to new solutions.

You can already use biometric fingerprint (https://nordpass.com/features/biometric-fingerprint/) or facial recognition to unlock your phone. In China, two of the most prominent technology players, Tencent And WeChat, have already rolled out systems that allow users to pay through facial scans. You don’t even need a mobile phone for it to work.

Most experts consider China to have the most advanced and secure payment system in the world. Western countries can learn a lot from this model. The technology is already available, but adoption rates are still pretty low. For reference, the US didn't even have widespread use of chip payments until 2015 — that’s 20 years after Europeans.

Despite everything, passwords won't go away anytime soon. In the meantime, people should use password managers for safe storing. They also cut the need to create or remember passwords. You can use them to generate random credentials and autofill in login info on your browser.

There's no reason to abandon 2FA, either. Especially if a website doesn't have alternative security methods. Google, Apple, and many other companies have a variety of tools to help users log in via smartphone apps instead.

USB or hardware security keys are excellent options too. They also have features that ensure a site is legitimate before users input their credentials.

Finally, it’s time to embrace biometric authentication. Most banking apps already allow you to log in with the stored biometric fingerprint and facial data on your phone. It's not only secure but also fast and convenient. More platforms are adopting the tool, so keep an eye out on where else you can use it.

You Can’t Be 100% Safe, But You Can Get Close

Cybercriminals have a massive arsenal of weapons. They use these tools to gain access to login credentials, harvest data, and steal identities. But for the most part, they prey on easy targets. If you do a few simple things like using USB security keys or password managers and enabling biometric authentication, you will have a strong shield of protection around you and your data.


Illustration: Slidesgo / FreePik

Read next: Microsoft Office Products Are Considered Favorite Among Hackers
Previous Post Next Post