Passwords Alone are Not Enough Anymore

October 31, 2018

There was a time when strong passwords were good enough to protect your information. More recent wisdom recommends we use passphrases, which are longer and much harder to crack.

Today, as phishing attempts get more sophisticated, you must adapt accordingly because passwords alone don’t cut it anymore. There’s even a name for these types of targeted attacks: “spear phishing.” This replaces the scattershot approach to stealing passwords with efforts that are more specific and targeted. The attacker will invariably know who they are targeting, what their role in your company is, who their boss is, and other details. We’ve seen several recent incidents involving our clients.

Here’s an example. We have seen this type of thing in 3 recent incidents: An employee is spear phished and tricked into entering their user name and password into a malicious website that gives the attacker this information. The attacker then uses it to log in as this unsuspecting employee to access to their emails, gain confidential company information, and then use it for nefarious purposes.

Say you work in accounting. The criminal will monitor your email until they see an opportunity to insert themselves into the conversation disguised as you. And once that happens, they can request that payment be made, by your client or by you, to a fraudulent bank account set up by the criminal. And it all looks legitimate until it’s too late. Because regardless of how strong a password or pass phrase may be, if you unknowingly give it away, you’re completely exposed.

Fortunately, there are tools you can use to help thwart such attacks: multi-factor authorization (MFA) or what’s referred to as two-factor authorization (2FA). You may have noticed your bank using these systems now. MFA works by granting a user access only when you present two or more pieces of information usually described as “something you know and something you have.” This could your password plus a code sent by text message to your phone, for example. More sophisticated systems can extend this to add a third factor, “something you are,” like a finger print or retinal scan.

MFA is available for free with Office 365, and it’s easy to set up, so we strongly suggest you begin using it immediately if you’re not already doing so. Please contact EXP if you need help setting this up. Or, if you want something even more robust, we can help with that, too. Either way, with spear phishing and similar attacks as sophisticated as they are now, it’s simply too risky to not use one of these tools to protect yourself and your company.

Related Posts