Are Secure Passwords Still a Thing?

By Susan Firriolo, CPA, CISA, Pet Rescue 990 Project  – July 20, 2023
Are Secure Passwords Still a Thing?

Most cybercrimes occur because of stolen passwords. Traditionally, passwords have been the go-to security method and first line of defense for protecting systems. Phishing attacks (links in emails or texts) are the top technique used by hackers to get passwords.

Are traditional password policies — creating strong passwords, installing password managers or using two-factor authentication — still protecting data? If not, what are the alternatives?

Traditional Methods

  • Strong passwords. These are long and complex passwords containing a combination of upper and lowercase letters, numbers and special characters. Common guidance includes avoiding using dictionary words, not sharing the password and changing it every 30 days. However, using strong passwords alone is risky. Hackers use techniques such as phishing, algorithms or brute force attacks to figure out passwords.
  • Password managers. Password managers have been considered a secure way to generate, store and manage complex passwords using encryption. Users only needed to remember one master password to access all their accounts. But like any password, master passwords are subject to hacking. When a master password is compromised, a hacker can change it, access all accounts and lock out the user in one attack. Password managers also take time to set up because the user has to enter usernames and passwords for all their accounts.

Enhanced Protection

There are methods that can be used in combination with passwords to enhance protection. Multi-factor authentication, single sign-on and adaptive authentication are important components in a security program. Here’s how they work:

  • Multi-factor authentication (MFA). Simple MFA usually requires users to provide a password and an authentication code sent as an email or text to verify the user. MFA offers more security than using passwords alone. However, MFA faces challenges and has been hacked using a compromised email account, sim swaps and a practice called MFA fatigue.
  • Single sign-on (SSO). This is an identity service allowing users to log in to multiple applications using a single set of credentials. SSO is also used with social media such as when an applica­tion asks you to sign in with Google or Facebook. Although SSO increases speed moving between applications, it does have risks: the user network is dependent on the SSO service provider, and if the service provider goes down, so do all user-connected network resources.
  • Adaptive authentication. This is a complex form of MFA. It evaluates user risk and chooses how to validate their identity by geo-location, device status, user behavior or other metrics. For example, logging on with a trusted device is considered a low risk so the user will be authenticated without further verifi­cation whereas it would be suspicious if a user who typically logs on at the office logs on at home. Then another type of authentication would be required to verify the user. Additionally, advanced adaptive authorization factors can con­tinuously be checked during the log-on period, such as requiring a USB device to be plugged into the user’s machine. Adaptive authorization systems are multifaceted and take time to implement. Systems with strong authentication have a tendency to lock users out of applications but systems with weak authorization can give everyone access including hackers.

Passwordless Systems

Passwordless systems, such as biometrics and hardware tokens, may or may not offer users easier access.

  • Biometrics. Biometric authentication involves using physical characteristics, such as fingerprints, facial recognition or other biometrics, to verify a user. Although biometrics cannot be replicated, the systems are expensive, have privacy concerns, can generate false positives and sometimes just do not work.
  • Hardware tokens. Hardware tokens are physical devices (such as key fobs or smart cards) that generate one-time codes to authenticate the user. Without the device, access is denied. If the device is lost, users cannot access the system until a new device is procured. If the device is stolen, all bets are off.

Depending on the size, structure, risk tolerance and other characteristics of an organization, CPAs may want to consider securing passwords by adding another level of protection. Passwordless security is on the way and should also be evaluated.


Susan  Firriolo

Susan Firriolo

Susan Firriolo, CPA, CISA, is the director and founder of Pet Rescue 990 Project, which provides online tax and advisory services for pet rescue 501(c)(3) organizations. She is a member of several NJCPA interest groups and can be reached at sac2364@gmail.com.

This article appeared in the Summer 2023 issue of New Jersey CPA magazine. Read the full issue.

 

 

Related events

January 16, 2025Paramus
January 17, 2025Red Bank & Live Webcast
January 17, 2025Webcast Replay
January 22, 2025Live Webcast
January 23, 2025Webcast Replay
January 23, 2025Live Webcast
January 23, 2025Live Webcast
January 31, 2025Webcast Replay
February 5, 2025Linwood
Atlantic/Cape May Chapter
Federal & State Tax Update
February 6, 2025Paramus
Bergen Chapter
Special Topics
February 6, 2025Haddonfield
Southwest Jersey Chapter
Technology Update
February 12, 2025Live Webcast
February 19, 2025Live Webcast
February 24, 2025Webcast Replay
February 25, 2025Live Webcast
March 4, 2025Webcast Replay
March 19, 2025Live Webcast
March 20, 2025Live Webcast
March 27, 2025Live Webcast
April 16, 2025Live Webcast
April 21, 2025Live Webcast
April 22, 2025Clark
April 25, 2025Roseland
April 25, 2025Live Webcast
April 29, 2025Webcast Replay
May 1, 2025Webcast Replay
May 6, 2025Live Webcast
May 7, 2025Northfield
Atlantic/Cape May Chapter
Estate Planning
May 8, 2025Haddonfield
Southwest Jersey Chapter
Nonprofit Update
May 9, 2025Live Webcast
May 16, 2025Webcast Replay
May 20, 2025E. Brunswick
Middlesex/Somerset Chapter
New Jersey Law and Ethics
May 21, 2025Live Webcast
June 3 - 6, 2025Atlantic City
June 25, 2025Live Webcast
July 23, 2025Live Webcast
August 5, 2025Live Webcast
August 13, 2025Live Webcast
August 18 - 20, 2025Atlantic City
August 26, 2025Live Webcast
September 17, 2025Live Webcast
October 22, 2025Live Webcast
October 29, 2025Live Webcast
November 4, 2025Live Webcast
November 13, 2025Live Webcast
November 19, 2025Live Webcast
November 19, 2025Live Webcast
December 3, 2025Live Webcast
December 11, 2025Live Webcast
December 17, 2025Live Webcast
January 6, 2026Live Webcast
February 4, 2026Live Webcast
March 8, 2026Live Webcast