A month ago we told you how MFA (Multi-Factor Authentication) is an essential part of your encryption strategy. This month we’re letting someone else tell you the same thing for even more confirmation.
Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft posted an extremely comprehensive blog detailing exactly what Microsoft has learned from years of managing Azure Active Directory connected accounts. It’s summed up in one simple statement:
Your Password Doesn’t Matter
Check out the post yourself (it’s fascinating reading!) for the specifics, but the fact remains that Microsoft has crunched the numbers for us. With over 300 million accounts probed daily in Microsoft ID systems they have the data to back up their claims. For the vast majority of attacks the length and complexity of your password makes no difference to how ‘crackable’ it is.
Even using a password manager that generates random, lengthy passwords isn’t going to make a significant difference – and that raises other concerns like usability and creating a single high-value target. It’s incredibly likely that your password is already in the list of the 500 million common passwords that hackers are continually testing against, so you’re going to be just one of those 300 million accounts they hit each day. And that’s assuming they aren’t specifically targeting you. If so, it’s going to be even easier for them to hack you via phishing, keystroke logging, local discovery or some other method. The numbers don’t lie and your password doesn’t matter.
What Matters Is MFA
If you have multi-factor authentication, Microsoft recommends using it – regardless if it's something as simple as SMS-based one-time passwords or advanced biometrics solutions.
"Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA," said Alex Weinert. “Enabling a multi-factor authentication solution blocks 99.9% of these unauthorized login attempts, even if hackers have a copy of a user's current password.” Note that there’s still that other 0.1%, of course. That accounts for more sophisticated attacks that use technical solutions for capturing MFA tokens, but these attacks are vanishingly rare when compared to the daily churn of credential-stuffing botnets.
And if you don’t want to take Microsoft’s word for it, take it from Google. A few months ago their security blog outlined their own research on the subject, claiming that “simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks.” This is another blog post that’s worth reading – especially since Google is trying to unify everything online via your Google account.
In the meantime, make sure that your most sensitive data is kept secure and compliant with regulations by enabling MFA. It’s supported in Progress’s MOVEit Transfer with award-winning MFA capabilities that let you securely control user access, as well user-class-based password expiration policies, and single-sign on. MOVEit Transfer also supports Secure Folder Sharing, making it simple for internal and external users to securely and easily collaborate while maintaining a complete audit trail.
To learn more or request a free trial, click here.