- Principia Raid
Your Password Doesn't Matter: warnings from Microsoft and the argument for app-based authentication
Alex Weinert is the Director of Identity Security at Microsoft. He's well recognized as someone who knows more than a few things about the security of authentication as per his impressive bio ....'a long time thought leader in the identity and security space, Weinert works with his team to protect all Microsoft account and Azure Active Directory users from cybercrime.' If you've logged in to ANY Microsoft Cloud solution, his team has protected the security of your authentication. Been there. Done that. MADE the T-Shirt.
Last year Alex penned an article for the Azure Active Directory Identity Blog that got some attention and has recently been getting revisited in the news. Here's the link:
In effect, the article goes into some detail to make his point, which he communicates pretty clearly in the title: Your Pa$$word doesn't matter. Alex tries to make the point that all of the time spent on enforcing rules to ensure the necessary level of password complexity to properly protect your digital identity is WASTED EFFORT that would be better spent on things that would really help, like proper multi-factor authentication. He suggests that instead of distracting users with password complexity rules, just implementing the right additional authentication tools would be a better approach. And he's clearly not wrong.
The article is a great read, though it does take us all the way down the rabbit hole to explain how password attacks work and how the password itself factors into the equation. The main point is that due to the sophistication of some of the available hacker tool sets today and the resources behind some of the bad actors trying to get your data, your password mostly doesn't matter. More secure is BETTER, and following the complexity rules HELPS, but is not good enough on its own without the addition of properly configured and implemented multi-factor authentication. If all the bad guys want is your data, a strong password is not enough of an obstacle when the criminals have a lot of time and a lot of tools.
The password risk situation is amplified due to a number of factors. Because massive breaches happen all the time, it's entirely possible that the average user has already been exposed in one breach or another. And since many users are in the habit of re-using passwords, the previous breach can impact currently active accounts. According to Microsoft, more than 20 million accounts PER DAY are probed against known breached credentials lists. Added to this is the 'Password Spray' risk with guessing attempts based on personal data available via social media accounts, with hundreds of thousands of accounts compromised PER DAY and Phishing attempts that end up being successful with increasing frequency.
How do you protect against these risks? It's STILL recommended to follow the password complexity guidelines, since doing this will put you in a lower risk group as most users don't follow these guidelines. But this alone is not enough. Adding a multi-factor authentication component is critical. And selecting WHICH multi-factor approach will impact how secure you might be....or not. It's been argued that phone-based MFA, with the service sending SMS messages as your 2nd factor, is not necessarily secure since it relies on the publicly switched telephone network (PSTN), which can be open to compromise. In his article, Alex Weinert writes that he believes phone-based MFA relying on SMS is the least secure of the methods available today. “When SMS (texting) and voice protocols were developed, they were designed without encryption...What this means is that signals can be intercepted by anyone who can get access to the switching network or within the radio range of a device,” Weinert wrote.
What's the solution here? Use app-based authentication wherever possible. An app like Google Authenticator, Microsoft Authenticator or the authenticator tool that's bundled with your password manager (like LastPass Authenticator) is viewed as much safer since it's not bundled with your phone carrier AND the codes only exist in the app with a relatively short expiry time. The likelihood of compromise when using this combination of tools is reduced to a level that is almost negligible by today's standards. Your account is more than 99.9% less likely to be compromised. That's a much more acceptable level of risk.
Need some help with your identity protection and authentication efforts? Contact us....