Skip to Content

Why Passwords Are Not Enough

Why Passwords Are Not Enough

password authentication security phone

Photo by indra projects on Pexels

The password has been the primary method of authentication for decades. It is also the primary method of attack. According to Verizon's Data Breach Investigations Report, 81% of breaches involve stolen, weak, or default credentials. The password is failing, and attackers know it.

How Attackers Defeat Passwords

Brute Force Attacks

Automated tools try every possible password combination. The math is brutal: an 8-character password using uppercase, lowercase, numbers, and symbols has approximately 6 quadrillion combinations. That sounds like a lot, but modern GPUs can try billions per second. An 8-character password can be cracked in about 8 hours. A 12-character password takes 63 years. Length matters more than complexity.

Credential Stuffing

Attackers collect passwords from data breaches — LinkedIn, Yahoo, Adobe, and hundreds of others. Billions of leaked credentials are available on the dark web. Attackers take these passwords and try them on other sites. If an employee uses the same password for LinkedIn and their work email, a breach at LinkedIn gives attackers access to your business email. This is why password reuse is so dangerous.

Phishing for Passwords

As covered in the previous section, phishing emails direct employees to fake login pages that capture passwords. This remains the most effective password theft method because it targets humans, not technology.

Keylogging Malware

Malware installed on a computer records every keystroke, including passwords. The attacker receives the captured passwords remotely. This is harder to detect because the password is captured after it is typed correctly.

The Case for Multi-Factor Authentication

Multi-Factor Authentication (MFA) requires users to provide two or more forms of identification before granting access:

  • Something you know — Your password
  • Something you have — Your phone, a hardware key, or an authenticator app
  • Something you are — Fingerprint, facial recognition (less common in business)

Even if an attacker steals your password, they cannot log in without the second factor. Microsoft reports that MFA blocks 99.9% of automated account attacks. This single control is the highest-impact security measure you can implement.

Understanding MFA Methods

Authenticator Apps (Recommended)

Apps like Microsoft Authenticator, Google Authenticator, and Authy generate a 6-digit code that changes every 30 seconds. When you log in, you enter your password plus the current code. The code is generated by a shared secret between your phone and the service — no internet connection required for the code generation.

Pros: No cellular service needed, fast, works offline, free

Cons: Requires initial setup, if you lose your phone you need backup codes

Hardware Security Keys

Devices like YubiKey or Feitian that you plug into a USB port or tap against an NFC reader. They use FIDO2/WebAuthn standards, which are resistant to phishing because they verify the website domain.

Pros: Most secure method, phishing-resistant, no battery needed

Cons: Costs $25-50 per key, employees need to carry it, lost key means account lockout until replaced

SMS Text Messages

The service sends a code to your phone via text message. You enter the code along with your password.

Pros: Easy to set up, everyone knows how to receive a text

Cons: Vulnerable to SIM swapping (attacker convinces your carrier to transfer your number to their phone), message interception, and requires cellular service

Email Codes

The service sends a code to your email. You enter the code along with your password.

Pros: No phone needed

Cons: If your email is compromised, the attacker can receive the code too — defeating the purpose. Only use this if no other option exists.

MFA Priority Order for Your Business

  1. Email accounts — Microsoft 365, Google Workspace. These are the keys to your kingdom. Attackers who compromise email can reset passwords for every other service.
  2. Remote access — VPN, Remote Desktop. These are how attackers get into your network from outside.
  3. Cloud applications — CRM, accounting, file storage. These contain your business data.
  4. Administrative accounts — Router, firewall, server admin. These give attackers full control.

Key Takeaways

  • 81% of breaches involve weak or stolen credentials
  • MFA blocks 99.9% of automated attacks — it is the single highest-impact security measure
  • Authenticator apps are the best balance of security and convenience for small businesses
  • Start with email accounts — they are the gateway to everything else
  • SMS is better than nothing, but authenticator apps are significantly more secure

Why Passwords Are Not Enough

The password has been the primary method of authentication for decades. It is also the primary method of attack. According to Verizon's Data Breach Investigations Report, 81% of breaches involve stolen, weak, or default credentials. The password is failing, and attackers know it.

How Attackers Defeat Passwords

Brute Force Attacks

Automated tools try every possible password combination. The math is brutal: an 8-character password using uppercase, lowercase, numbers, and symbols has approximately 6 quadrillion combinations. That sounds like a lot, but modern GPUs can try billions per second. An 8-character password can be cracked in about 8 hours. A 12-character password takes 63 years. Length matters more than complexity.

Credential Stuffing

Attackers collect passwords from data breaches — LinkedIn, Yahoo, Adobe, and hundreds of others. Billions of leaked credentials are available on the dark web. Attackers take these passwords and try them on other sites. If an employee uses the same password for LinkedIn and their work email, a breach at LinkedIn gives attackers access to your business email. This is why password reuse is so dangerous.

Phishing for Passwords

As covered in the previous section, phishing emails direct employees to fake login pages that capture passwords. This remains the most effective password theft method because it targets humans, not technology.

Keylogging Malware

Malware installed on a computer records every keystroke, including passwords. The attacker receives the captured passwords remotely. This is harder to detect because the password is captured after it is typed correctly.

The Case for Multi-Factor Authentication

Multi-Factor Authentication (MFA) requires users to provide two or more forms of identification before granting access:

  • Something you know — Your password
  • Something you have — Your phone, a hardware key, or an authenticator app
  • Something you are — Fingerprint, facial recognition (less common in business)

Even if an attacker steals your password, they cannot log in without the second factor. Microsoft reports that MFA blocks 99.9% of automated account attacks. This single control is the highest-impact security measure you can implement.

Understanding MFA Methods

Authenticator Apps (Recommended)

Apps like Microsoft Authenticator, Google Authenticator, and Authy generate a 6-digit code that changes every 30 seconds. When you log in, you enter your password plus the current code. The code is generated by a shared secret between your phone and the service — no internet connection required for the code generation.

Pros: No cellular service needed, fast, works offline, free

Cons: Requires initial setup, if you lose your phone you need backup codes

Hardware Security Keys

Devices like YubiKey or Feitian that you plug into a USB port or tap against an NFC reader. They use FIDO2/WebAuthn standards, which are resistant to phishing because they verify the website domain.

Pros: Most secure method, phishing-resistant, no battery needed

Cons: Costs $25-50 per key, employees need to carry it, lost key means account lockout until replaced

SMS Text Messages

The service sends a code to your phone via text message. You enter the code along with your password.

Pros: Easy to set up, everyone knows how to receive a text

Cons: Vulnerable to SIM swapping (attacker convinces your carrier to transfer your number to their phone), message interception, and requires cellular service

Email Codes

The service sends a code to your email. You enter the code along with your password.

Pros: No phone needed

Cons: If your email is compromised, the attacker can receive the code too — defeating the purpose. Only use this if no other option exists.

MFA Priority Order for Your Business

  1. Email accounts — Microsoft 365, Google Workspace. These are the keys to your kingdom. Attackers who compromise email can reset passwords for every other service.
  2. Remote access — VPN, Remote Desktop. These are how attackers get into your network from outside.
  3. Cloud applications — CRM, accounting, file storage. These contain your business data.
  4. Administrative accounts — Router, firewall, server admin. These give attackers full control.

Key Takeaways

  • 81% of breaches involve weak or stolen credentials
  • MFA blocks 99.9% of automated attacks — it is the single highest-impact security measure
  • Authenticator apps are the best balance of security and convenience for small businesses
  • Start with email accounts — they are the gateway to everything else
  • SMS is better than nothing, but authenticator apps are significantly more secure
Rating
0 0

There are no comments for now.

to be the first to leave a comment.