Why your password is still important - even if you use multi-factor authentication

Just because you have two factor authentication doesn’t mean you can afford to be sloppy with password security.

Padlocks

Multi-factor authentication is steadily becoming a more mainstream login protection mechanism, with it being adopted for use in many organizations as well as many popular websites such as Twitter, Facebook, Gmail and Amazon.

The use of multi-factor authentication or any other type of two-step verification (2SV) adds an additional layer of security to your login process. This is an excellent way to further protect your information.

In some cases, it could be surmised that the use of multi-factor authentication negates the need to use a strong password since the attackers would not have access to that secondary “something you have” vehicle that completes your login process.

Unfortunately, the need for strong passwords is still important – even when using multi-factor authentication.

Security researcher Beau Bullock at Black Hills Information Security recently discovered a flaw in Microsoft’s Outlook Web Access and Office 365 that bypasses multi-factor authentication, enabling a full search of mailboxes with the knowledge of only a person’s username and password.

You can read the technical description of the exploit if you're interested in more information, or watch a video demonstration.

It should be noted that at least one product vendor has been experimenting with this flaw to enhance its penetration test and defense capabilities. The technical description includes an explanation of why the flaw cannot simply be turned off.

The important lesson here is to not fall into a mindset that using multi-factor authentication allows you to use poor passwords, or worse, reuse the same passwords on multiple sites.

The multi-factor token might change on every login, but as long as there are methods to bypass multi-factor authentication, the vigilance to have good strong and unique passwords remains. Now would be an excellent time to check out the many password manager programs that are available for your protection.

Remember that security is approached best by using a layered defense, and allowing a weakness in any of those layers just makes the job of an attacker that much easier.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

3 Responses

  1. Hitoshi Kokumai

    November 20, 2016 at 2:07 am #

    Nice article. I fully agree.

  2. Richard

    November 20, 2016 at 5:43 pm #

    Informative article; thank you.

    However, this does depend on the website even allowing for 2SV. or even more than 12 characters (including special characters like %$%"! )

  3. furriephillips

    November 21, 2016 at 10:32 am #

    Given the opportunity to use actually strong passwords (banks as the worst culpritshere, IMHO), I always let LastPass generate my passwords (sometimes I add a space, just to be a BOFH), but essentially I only know my LastPass password, not any others – they're so complicated & random.

Leave a Reply