Why Passwords Are Not Enough
Why Passwords Are Not Enough

Photo by indra projects on Pexels
The password has been the primary method of authentication for decades. It is also the primary method of attack. According to Verizon's Data Breach Investigations Report, 81% of breaches involve stolen, weak, or default credentials. The password is failing, and attackers know it.
How Attackers Defeat Passwords
Brute Force Attacks
Automated tools try every possible password combination. The math is brutal: an 8-character password using uppercase, lowercase, numbers, and symbols has approximately 6 quadrillion combinations. That sounds like a lot, but modern GPUs can try billions per second. An 8-character password can be cracked in about 8 hours. A 12-character password takes 63 years. Length matters more than complexity.
Credential Stuffing
Attackers collect passwords from data breaches — LinkedIn, Yahoo, Adobe, and hundreds of others. Billions of leaked credentials are available on the dark web. Attackers take these passwords and try them on other sites. If an employee uses the same password for LinkedIn and their work email, a breach at LinkedIn gives attackers access to your business email. This is why password reuse is so dangerous.
Phishing for Passwords
As covered in the previous section, phishing emails direct employees to fake login pages that capture passwords. This remains the most effective password theft method because it targets humans, not technology.
Keylogging Malware
Malware installed on a computer records every keystroke, including passwords. The attacker receives the captured passwords remotely. This is harder to detect because the password is captured after it is typed correctly.
The Case for Multi-Factor Authentication
Multi-Factor Authentication (MFA) requires users to provide two or more forms of identification before granting access:
- Something you know — Your password
- Something you have — Your phone, a hardware key, or an authenticator app
- Something you are — Fingerprint, facial recognition (less common in business)
Even if an attacker steals your password, they cannot log in without the second factor. Microsoft reports that MFA blocks 99.9% of automated account attacks. This single control is the highest-impact security measure you can implement.
Understanding MFA Methods
Authenticator Apps (Recommended)
Apps like Microsoft Authenticator, Google Authenticator, and Authy generate a 6-digit code that changes every 30 seconds. When you log in, you enter your password plus the current code. The code is generated by a shared secret between your phone and the service — no internet connection required for the code generation.
Pros: No cellular service needed, fast, works offline, free
Cons: Requires initial setup, if you lose your phone you need backup codes
Hardware Security Keys
Devices like YubiKey or Feitian that you plug into a USB port or tap against an NFC reader. They use FIDO2/WebAuthn standards, which are resistant to phishing because they verify the website domain.
Pros: Most secure method, phishing-resistant, no battery needed
Cons: Costs $25-50 per key, employees need to carry it, lost key means account lockout until replaced
SMS Text Messages
The service sends a code to your phone via text message. You enter the code along with your password.
Pros: Easy to set up, everyone knows how to receive a text
Cons: Vulnerable to SIM swapping (attacker convinces your carrier to transfer your number to their phone), message interception, and requires cellular service
Email Codes
The service sends a code to your email. You enter the code along with your password.
Pros: No phone needed
Cons: If your email is compromised, the attacker can receive the code too — defeating the purpose. Only use this if no other option exists.
MFA Priority Order for Your Business
- Email accounts — Microsoft 365, Google Workspace. These are the keys to your kingdom. Attackers who compromise email can reset passwords for every other service.
- Remote access — VPN, Remote Desktop. These are how attackers get into your network from outside.
- Cloud applications — CRM, accounting, file storage. These contain your business data.
- Administrative accounts — Router, firewall, server admin. These give attackers full control.
Key Takeaways
- 81% of breaches involve weak or stolen credentials
- MFA blocks 99.9% of automated attacks — it is the single highest-impact security measure
- Authenticator apps are the best balance of security and convenience for small businesses
- Start with email accounts — they are the gateway to everything else
- SMS is better than nothing, but authenticator apps are significantly more secure
Why Passwords Are Not Enough
The password has been the primary method of authentication for decades. It is also the primary method of attack. According to Verizon's Data Breach Investigations Report, 81% of breaches involve stolen, weak, or default credentials. The password is failing, and attackers know it.
How Attackers Defeat Passwords
Brute Force Attacks
Automated tools try every possible password combination. The math is brutal: an 8-character password using uppercase, lowercase, numbers, and symbols has approximately 6 quadrillion combinations. That sounds like a lot, but modern GPUs can try billions per second. An 8-character password can be cracked in about 8 hours. A 12-character password takes 63 years. Length matters more than complexity.
Credential Stuffing
Attackers collect passwords from data breaches — LinkedIn, Yahoo, Adobe, and hundreds of others. Billions of leaked credentials are available on the dark web. Attackers take these passwords and try them on other sites. If an employee uses the same password for LinkedIn and their work email, a breach at LinkedIn gives attackers access to your business email. This is why password reuse is so dangerous.
Phishing for Passwords
As covered in the previous section, phishing emails direct employees to fake login pages that capture passwords. This remains the most effective password theft method because it targets humans, not technology.
Keylogging Malware
Malware installed on a computer records every keystroke, including passwords. The attacker receives the captured passwords remotely. This is harder to detect because the password is captured after it is typed correctly.
The Case for Multi-Factor Authentication
Multi-Factor Authentication (MFA) requires users to provide two or more forms of identification before granting access:
- Something you know — Your password
- Something you have — Your phone, a hardware key, or an authenticator app
- Something you are — Fingerprint, facial recognition (less common in business)
Even if an attacker steals your password, they cannot log in without the second factor. Microsoft reports that MFA blocks 99.9% of automated account attacks. This single control is the highest-impact security measure you can implement.
Understanding MFA Methods
Authenticator Apps (Recommended)
Apps like Microsoft Authenticator, Google Authenticator, and Authy generate a 6-digit code that changes every 30 seconds. When you log in, you enter your password plus the current code. The code is generated by a shared secret between your phone and the service — no internet connection required for the code generation.
Pros: No cellular service needed, fast, works offline, free
Cons: Requires initial setup, if you lose your phone you need backup codes
Hardware Security Keys
Devices like YubiKey or Feitian that you plug into a USB port or tap against an NFC reader. They use FIDO2/WebAuthn standards, which are resistant to phishing because they verify the website domain.
Pros: Most secure method, phishing-resistant, no battery needed
Cons: Costs $25-50 per key, employees need to carry it, lost key means account lockout until replaced
SMS Text Messages
The service sends a code to your phone via text message. You enter the code along with your password.
Pros: Easy to set up, everyone knows how to receive a text
Cons: Vulnerable to SIM swapping (attacker convinces your carrier to transfer your number to their phone), message interception, and requires cellular service
Email Codes
The service sends a code to your email. You enter the code along with your password.
Pros: No phone needed
Cons: If your email is compromised, the attacker can receive the code too — defeating the purpose. Only use this if no other option exists.
MFA Priority Order for Your Business
- Email accounts — Microsoft 365, Google Workspace. These are the keys to your kingdom. Attackers who compromise email can reset passwords for every other service.
- Remote access — VPN, Remote Desktop. These are how attackers get into your network from outside.
- Cloud applications — CRM, accounting, file storage. These contain your business data.
- Administrative accounts — Router, firewall, server admin. These give attackers full control.
Key Takeaways
- 81% of breaches involve weak or stolen credentials
- MFA blocks 99.9% of automated attacks — it is the single highest-impact security measure
- Authenticator apps are the best balance of security and convenience for small businesses
- Start with email accounts — they are the gateway to everything else
- SMS is better than nothing, but authenticator apps are significantly more secure
There are no comments for now.