The perfect password for an online account should contain upper- and lower-case letters, special characters and at least 12 numbers – or should it? The seemingly obvious question is entirely justified given the numerous myths about password security in the login process. After all, almost everything that we think we know about passwords is actually wrong. This makes IT security a thorny issue for users. Dealing with it takes time and patience. At the same time, they want to be sure that their personal data is fully protected in the online world. But how does one do it right? Is it OK to use a sister’s name for an online bank account, or is two-factor authentication (2FA) the better bet? Nevis reveals and busts the top 6 myths about the login process in order to seal this popular gateway for cybercriminals in good time.
The primary cause of the growing number of data breaches is the digital merging of personal and work routines on the Internet. That is because humans – the weakest link in the security strategy – tend to react naively when choosing a new password. Regardless of whether this involves accessing a favourite online shop or the login for the company laptop: passwords that are reused or too weak provide a perfect opportunity for hackers to penetrate sensitive systems and cause immeasurable damage. This is an ever-present threat for companies – not even the stricter data protection policies of the GDPR can help in this respect. Therefore, our focus here is on password and login habits, which can be optimized with minimal effort.
Myth no. 1: Hackers are not interested in my data
The first myth is a popular excuse for users who believe their time is far too valuable to waste on tiresome login procedures. This is a misconception because every password is of interest to criminals. The key factor here is not the individual user but the amount of damage that can be caused by the hacked password. Once hacked, an online account acts as a gateway. The possible consequences here are unlimited and range from looted bank accounts to the sending of spam all the way to products purchased at the victim’s expense. However, other accounts can also be accessed if the data can also be used to log into other services. And it doesn’t end there. A user’s own account can also be used to launch additional phishing attacks involving the targeted sending of malware to friends, for example. As a result, the circle of those affected expands quickly.
Myth no. 2: The more complex the password, the better
This statement is false because a password's security is only partially dependent on its complexity. In reality, the extent to which it was randomly chosen and the number of characters it contains are much more important. Put simply, the less the password has to do with the user’s personal life, the more difficult it is to crack. Therefore, you should bear the following in mind: the password should certainly be complex, which means 12 or ideally 16 characters long, and should contain special characters. However, it is also important that it does not adhere to a system. A password consisting of the name of one’s sister and ending with a date of birth can therefore easily be improved.
Myth no. 3: Passwords should be changed every eight weeks at the latest
Changing passwords on a regular basis used to be strongly recommended – but this approach is actually not particularly effective. It turns out that each new password request leads to growing user frustration at having to come up with new combinations. As a result, existing passwords are often only modified slightly each time a change is required. Over time, this significantly reduces the security of the login data. This is why passwords should only be changed regularly if they are actually replaced by a password that is completely new and – most importantly – random. Only then can security be optimised and any similarities eradicated. Alternatively, a good password can be used for extended periods – although it should definitely be changed if a cyberattack is suspected or has occurred.
Myth no. 4: The future of the password is the password
The future is not quite as simple as that. That’s because there is now a growing debate within the IT industry about developing a long-term replacement for vulnerable password-based login procedures. The trend is moving towards passwordless authentication, which uses a device such as a user’s own smartphone. Combined with biometric authentication already used in the form of fingerprint or facial recognition to unlock a mobile phone, the method is now also set to be implemented for websites and web services. The procedure is doubly protected in this way. After the user name is entered on the PC, access must then be authorized, for instance, using a fingerprint scanned by an app installed on the smartphone. Only then is the user successfully logged in.
Myth no. 5: Biometric logins are too awkward
Every fingerprint is unique and is, therefore the perfect way to prove someone’s digital identity beyond all doubt and to secure their online accounts. And while concerns regarding data processing and privacy are understandable, they are complete without foundation. That’s because biometric data stored on an iPhone, for example, is only held locally in an extremely secure area of the device. There is also no need to worry that one’s own fingerprints might be copied from a door handle or a glass. While this may be a practicable approach for intelligence services in individual cases, this level of effort is simply unthinkable for cybercriminals operating from remote locations.
Myth no. 6: Two-factor authentication (2FA) is unnecessary
Particularly sensitive user accounts that are accessed regularly should be protected by two-factor authentication (2FA) in the online space. This type of authentication goes beyond the password login and includes an extra security step that is required for authorisation: after a user has entered the password in the login area of a website, they are requested to enter an additional code that can easily be generated, for example, by an app or sent as an SMS to the user’s mobile phone number. If the second factor is missing, the user is unable to access their account. In this way, 2FA resembles the procedure used to withdraw cash at the bank counter: what the pin and bank card are to the financial sector, so too are the password and code to the IT sector. This makes life more difficult for criminals because they must also gain access to the victim’s smartphone as well as the password. Major players such as Amazon, Apple and Google already offer this mechanism.
Let’s finally put an end to the myths – the solution is MFA
One thing’s for sure: the password has had its day and is vulnerable to human weaknesses. This is why we need an alternative that protects user accounts carefully and does not require additional effort. Multi-factor authentication (MFA) makes it possible. It combines 2FA with biometrics to authenticate users using multiple security procedures. To do this, MFA is based on the factors of possession, knowledge, location and biometric features – to prevent identity theft, increase user-friendliness and improve security. This will ensure that users are actually who they claim to be.