Humans are simply too unreliable.
There are two golden rules when it comes to passwords. Keep them strong, and don’t reuse them. It’s simple, straightforward advice, and it can make a real difference to the security of user accounts. Yet far too often people fail to follow this guidance, leaving themselves and their employers vulnerable to serious security breaches. Bearing this in mind, it’s becoming increasingly clear that businesses can no longer rely on passwords alone to keep their data safe.
Earlier this year, Google discovered that around 1.5% of all logins were made using credentials that had already been stolen by hackers. That doesn’t sound like much, but the firm’s statistics were based on 21 million logins attempts, which means that small percentage equates to about 316,000.
Similar results were recently found by Microsoft, which revealed that approximately 44 million out of the three billion user logins it checked were compromised. That equates to roughly 1.46%.
These statistics show that even at such low percentages, criminals have access to vast numbers of stolen credentials. That should have all businesses worried, because it only takes one compromised account to take down an entire organisation.
In an ideal world, every one of your employees could be trusted to follow best practice with their passwords. But the reality is that people aren’t perfect. They forget to do things, misunderstand instructions and sometimes just can’t be bothered. Human error, which is involved in most cyber breaches, can’t ever be eliminated completely.
So how do you account for the 1.5% of people who reuse compromised logins? With technology.
First of all, you should use multi-factor authentication – if not with all your accounts, then at least with the most important ones. This creates a major obstacle for hackers, because even if they have your login details, they won’t be able to get into your account, without access to your authentication device (usually your phone, but it can also be biometric data or a USB key).
Businesses can further secure their data with device and user management solutions like Microsoft Intune. This enables you to enrol PCs, phones and so on into a list of registered and approved devices. If they’re not enrolled, they simply can’t access company data.
Beyond that, service providers can help by rolling out geotracking features, which detects when sign-in attempts are made from a new location and sends a notification via email or text message to the owner of the account. This is already being used by Microsoft, Google and others.
The big drawback with adding authentication steps, of course, is that it adds complexity and diminishes convenience. For these reasons, it may not be practical to enforce such measures right across the board. Thankfully, though, that’s unlikely to be necessary anyway. Having two-factor authentication set up with work email addresses makes sense, because it could be disastrous if these accounts are hacked into. But you probably wouldn’t need to go to great lengths to lock down your login details for an online forum account that doesn’t include your real name, contact details or payment information (or a reused password!).
For data of value, the slight inconvenience of extra security is a small price to pay, especially compared to what you could lose if you’re hacked.