Are Secure Passwords Still a Thing?

By Susan Firriolo, CPA, CISA, Pet Rescue 990 Project  – July 20, 2023
Are Secure Passwords Still a Thing?

Most cybercrimes occur because of stolen passwords. Traditionally, passwords have been the go-to security method and first line of defense for protecting systems. Phishing attacks (links in emails or texts) are the top technique used by hackers to get passwords.

Are traditional password policies — creating strong passwords, installing password managers or using two-factor authentication — still protecting data? If not, what are the alternatives?

Traditional Methods

  • Strong passwords. These are long and complex passwords containing a combination of upper and lowercase letters, numbers and special characters. Common guidance includes avoiding using dictionary words, not sharing the password and changing it every 30 days. However, using strong passwords alone is risky. Hackers use techniques such as phishing, algorithms or brute force attacks to figure out passwords.
  • Password managers. Password managers have been considered a secure way to generate, store and manage complex passwords using encryption. Users only needed to remember one master password to access all their accounts. But like any password, master passwords are subject to hacking. When a master password is compromised, a hacker can change it, access all accounts and lock out the user in one attack. Password managers also take time to set up because the user has to enter usernames and passwords for all their accounts.

Enhanced Protection

There are methods that can be used in combination with passwords to enhance protection. Multi-factor authentication, single sign-on and adaptive authentication are important components in a security program. Here’s how they work:

  • Multi-factor authentication (MFA). Simple MFA usually requires users to provide a password and an authentication code sent as an email or text to verify the user. MFA offers more security than using passwords alone. However, MFA faces challenges and has been hacked using a compromised email account, sim swaps and a practice called MFA fatigue.
  • Single sign-on (SSO). This is an identity service allowing users to log in to multiple applications using a single set of credentials. SSO is also used with social media such as when an applica­tion asks you to sign in with Google or Facebook. Although SSO increases speed moving between applications, it does have risks: the user network is dependent on the SSO service provider, and if the service provider goes down, so do all user-connected network resources.
  • Adaptive authentication. This is a complex form of MFA. It evaluates user risk and chooses how to validate their identity by geo-location, device status, user behavior or other metrics. For example, logging on with a trusted device is considered a low risk so the user will be authenticated without further verifi­cation whereas it would be suspicious if a user who typically logs on at the office logs on at home. Then another type of authentication would be required to verify the user. Additionally, advanced adaptive authorization factors can con­tinuously be checked during the log-on period, such as requiring a USB device to be plugged into the user’s machine. Adaptive authorization systems are multifaceted and take time to implement. Systems with strong authentication have a tendency to lock users out of applications but systems with weak authorization can give everyone access including hackers.

Passwordless Systems

Passwordless systems, such as biometrics and hardware tokens, may or may not offer users easier access.

  • Biometrics. Biometric authentication involves using physical characteristics, such as fingerprints, facial recognition or other biometrics, to verify a user. Although biometrics cannot be replicated, the systems are expensive, have privacy concerns, can generate false positives and sometimes just do not work.
  • Hardware tokens. Hardware tokens are physical devices (such as key fobs or smart cards) that generate one-time codes to authenticate the user. Without the device, access is denied. If the device is lost, users cannot access the system until a new device is procured. If the device is stolen, all bets are off.

Depending on the size, structure, risk tolerance and other characteristics of an organization, CPAs may want to consider securing passwords by adding another level of protection. Passwordless security is on the way and should also be evaluated.


Susan  Firriolo

Susan Firriolo

Susan Firriolo, CPA, CISA, is the director and founder of Pet Rescue 990 Project, which provides online tax and advisory services for pet rescue 501(c)(3) organizations. She is a member of several NJCPA interest groups and can be reached at sac2364@gmail.com.

This article appeared in the Summer 2023 issue of New Jersey CPA magazine. Read the full issue.