Add Multi-Factor Authentication: Because Bad Habits Die Hard


Websites with simple username and password logins need the added protection of multi-factor authentication (MFA) to enhance security in today’s heightened threat environment.

It looks like this might be a good time to revisit password security issues and review the benefits of Multi-Factor Authentication (MFA). In an earlier post last month on network security, we cited the recent network security breach of nearly 2 million login credentials and passwords to various email, social media and other Internet site accounts. Security researchers at Trustwave SpiderLabs discovered the security breach and shared data in their blog post, Look What I Found, Moar Pony! 

In Trustwave’s report, they included an analysis of user password selection habits, including a list of the top 10 passwords that were compromised in this latest breach. Looks like old, bad habits die hard, too. We visited the issue of weak passwords a post two years ago - “Are Your Passwords on the Naughty List?” -  covering a list of the most popular (and worst) passwords shared in a Time Magazine report.

Five of the passwords in the Time article list appear in the top 11 passwords reported stolen in Trustwave’s report on the latest network security breach. In fact- “123456” - the #2 worst password on the Time list two years ago, was the #1 password stolen on Trustwave’s list as well as the Adobe hack in October 2013. It doesn’t get much better. The #1 worst password two years ago - “password” - was #5 on the Trustwave list. In their analysis of overall password strength, 34% were rated “Bad” or “Terrible”, 44% were “Medium” with only 22% called out as “Good” or “Excellent”.

So where do we begin? If you haven’t already, start with establishing password best practices for your employees—and enforce compliance. Here are a few suggestions.

  • Require longer, complex passwords at least 10 to 12 characters in length, using multiple character types, including upper and lower case alphabetic, numeric and special characters. We know. They’re harder to remember. They’re also harder to crack. PC World’s “Building a better password: Simple changes add strength” offers helpful tips for creating complex, yet memorable passwords for users.
  • Implement scheduled, periodic required changes and updates to passwords. This creates a moving target for hackers, one that is more difficult to hit. 
  • Consider requiring different passwords for different devices, systems and accounts. With identical passwords for all systems, it only takes one breach to compromise multiple “secured” assets.

Next, it’s time to make Multi-Factor Authentication a part of a comprehensive unified threat management strategy. Single password security is pretty much history. Downloadable cracking tools can easily break simple five character passwords and new cloud-based password cracking tools can make 300 million attempts to crack passwords in minutes. MFA typically consists of two or more login steps. For example, Windstream’s Managed Network Security solution allows customers to incorporate their authentication platform allowing them to utilize their existing RSA server solution and use the tokens for VPN access, etc.  As security threats increase and businesses and organizations move to cloud-based services and mobile connectivity, they’re also moving to an integrated, layered approach to network security.

Talk to a Windstream advisor about network security options and unified threat management solutions. Break those old (maybe bad?) habits with a few mandatory best practice protocols—and add another layer of security to your unified threat management strategy with a Multi-Factor Authentication solution.