Experts from Microsoft, Google, and elsewhere suggest that users who enable multi-factor authentication (MFA) for their accounts end up blocking 99.9% of automated aka bot attacks. DriveStrike proudly supports MFA and highly encourages you to use it everywhere you can!
If a service provider supports multi-factor authentication, we recommend using it, even if the secondary authentication is as simple as SMS-based one-time passwords.
Several security studies show that automated security attacks (the vast majority of cyber attacks) fail when MFA is in place and the cost for attackers rises exponentially as the barriers to their malicious attempts increase.
Google reported: “Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.”
Complex and Long Passwords don’t work as well anymore
Inexpensive powerful computing is pervasive which means hackers have access to a vast arsenal of cyber weapons. The old advice of “don’t use a breached password” (lists are available at https://haveibeenpwned.com/) or “use really long complicated passwords” doesn’t help as much anymore.
Cybersecurity experts have proven that despite blocking leaked credentials or enforcing complex long passwords, hackers continue to compromise accounts at an alarming rate.
Consider, the various methods hackers use to compromise users’ credentials, in most cases, the password and its complexity doesn’t matter.
Attack |
AKA . . . |
Frequency |
Difficulty: Mechanism |
User assists attacker by . . . |
Does your password matter? |
Credential Stuffing |
Breach replay, list cleaning |
Very high – 20+M accounts probed daily |
Very easy: Purchase creds gathered from breached sites with bad data at rest policies, test for matches on other systems. List cleaning tools are readily available. |
Reusing passwords on more than one account. More than 50% of users reuse their passwords for other systems. |
No – attacker has exact password. |
Phishing |
Man-in-the-middle, credential interception |
Very high. ½% of all inbound mails. |
Easy: Send emails that promise entertainment or threaten, and link user to cloned site for sign-in. Capture credentials in the process. |
People are busy, distracted, curious or worried and drop their guard. |
No – user gives the password to the attacker |
Keystroke logging |
Malware, sniffing |
Low. |
Medium: Malware records and transmits everything you enter on the keyboard including usernames and passwords entered. |
Visiting insecure websites, downloading unvetted software, failing to run virus scans regularly |
No – malware captures and sends everything typed. |
Local discovery |
Dumpster diving, physical recon, network scanning. |
Low. |
Difficult: Search office or journal for written passwords. Network scan for open shares. Scan for creds in code or maintenance scripts. |
Writing passwords down too many to remember; using passwords for other accounts |
No – exact password discovered. |
Extortion |
Blackmail, Insider threat |
Very low. |
Difficult: Threaten to harm or embarrass unless they give up the goods. |
Failing to report. |
No – exact password disclosed |
Password spray |
Guessing, hammering |
Very high Millions probed daily. |
Trivial: Use easily acquired user lists, attempt the same password over a very large number of usernames and accounts. Throttle speed and distribute across many IPs to hamper detection. Tools are everywhere and inexpensive. |
Using common or compromised passwords. |
No, with enough time the password is compromised |
Brute force |
Database extraction, cracking |
Very low. |
Varies: Penetrate network to extract files. Perform hash cracking on password. Difficulty varies with encryption used. |
None. |
No, with enough time the password is compromised |
Enabling multi-factor authentication blocks 99.9% of these unauthorized login attempts, even if hackers have your current password. Why, because they not only need the password but now a secondary credential that expires. The MFA model requires they figure out your password and the additional security protocol (passcode) and the secondary code must be solved within a few minutes before it changes yet again.
Capturing or compromising MFA tokens is very rare and very expensive. In most cases organizations or malicious actors using these tools only do so for very high value targets.
Bottom line – use Multifactor Authentication to protect your accounts and protect your mobile devices with DriveStrike in case it is lost or stolen you can remotely wipe the device(s) that displays or accesses your MFA credentials!
About Spearstone
Spearstone, 2008 Digital IQ award recipient for IT Security, is a software development company with enterprise customers that include Wells Fargo, Pearson Learning, Logitech, Spacelabs, Sony and RemedyMD. Spearstone’s DriveStrike product provides data breach protection for computers and smartphones, including remote wipe and mobile device management.