We have all see this coming for a long time; in fact, I’m surprised it has taken this long to become obvious that passwords are no longer sufficient security. Sure, they’re OK for things that really don’t matter like news sites and entertainment sites — any site that doesn’t store sensitive information about you — but for all other things they’re just not enough anymore.
Passwords are the “something you know” part of security and therefore the easiest factor to guess or otherwise obtain. Beyond the fact that people tend to use passwords that are easily guessable, here are three other reasons why passwords alone are no longer sufficient security.
1. Duplicate passwords. People tend to use the same password in multiple locations, often using the same one for everything. I don’t know how many times I’ve had people tell me, “I always use xxxxx for my password” meaning, of course, that when asked to create a password for anything, that’s the one they use.
2. Keylogger infections. Every day, I see computers with bogus “system cleaners,” “system optimizers,” “pc boosters,” etc. infecting them. I can only assume that beyond these junky scams, there is more sinister stuff installed. People just don’t know any better and if it sounds good to them, they click OK. I envision that some sort of message like “Please click here to protect your bank account from unauthorized access” would be a quite effective technique.
3. Phishing scams. I’ve seen some of these in my own inbox that made me do a double take until I dug a bit deeper. If I almost got phished, I promise you someone else really did. Then, once the hacker had the password, he probably tried it on every site the person had, and was probably successful at gaining access to several of them.
Bottom line: Two-factor authentication is not only long overdue, it’s critical if we ever hope to prevent the huge data breaches like Target’s and others that have been in the news.