Debunking password myths: Why it’s time to ditch using complex passwords (Part 2 of 3)

img Security iStock 000019865273 LARGE

Passwords have long served as keys to securing our personal and professional data. Yet, as everyone’s digital footprint continues to grow, the effectiveness of complex passwords at protecting sensitive information is waning. 

In Part 1 of this article series, we debunked the myths surrounding the outdated habit of regular password resets. Now, in Part 2, we delve deeper into the ineffectiveness of complex passwords and explore safer alternatives to protecting your data in the modern age.

Why complex passwords aren’t enough

Relying solely on complex passwords to protect your accounts has too many drawbacks from a security and user experience perspective.  

Greater risk of human error

Though intended to bolster security, complex passwords can often backfire due to human fallibility. Users will frequently resort to simple, easily remembered passwords such as “123456” or “qwerty”, as highlighted by the most common passwords on the dark web in 2022.

In an effort to remember convoluted codes, users may jot them down in digital files or even physical notes, making them easily accessible to hackers. The sheer volume of complex passwords can also overwhelm users, leading to forgotten credentials and increased downtime. According to recent findings, about 40% of help desk calls are related to password assistance and resets, resulting in substantial productivity losses.

Cybercriminals have refined their tactics

Password-cracking software is a popular tool among cybercriminals and is particularly effective against easy-to-guess passwords like those mentioned earlier. CSO reports how Conficker, one of the most notorious malware programs, was successfully able to compromise countless drive shares using a mere 100 hard-coded (simple) passwords, highlighting the effectiveness of password-guessing to this day. Password-cracking software has also grown more sophisticated, with cybercriminals now able to decipher increasingly complex passwords and their common patterns.

Additionally, cyberattacks have evolved to rely on social engineering and phishing tactics, rendering complex passwords futile when users fall prey to these strategies. In fact, Verizon’s data reveals that a whopping 74% of breaches involve the human element, which include social engineering attacks.

Safer alternatives to complex passwords

Instead of relying on complex passwords, use the following tools and best practices that offer much stronger protection.  

Passkey authentication

Passkey authentication offers a modern way of logging into your accounts without relying on complex passwords. It creates special codes for each login attempt by using your unique information (i.e., biometric data) and device details, which could include facial recognition, fingerprints, MAC addresses, and location.

These passkeys simplify the login process by eliminating the need to remember multiple complex passwords. They’re also an effective tool against phishing attempts because even if hackers obtain a user’s password, the corresponding device passkey is still required to gain access.

Two-factor authentication

Two-factor authentication (2FA) offers an extra layer of security by not only requesting a password, but also a second form of verification to access your accounts. This could take various forms, such as a code being sent to your phone or authentication app.

This way, even if hackers get ahold of your password, they can’t access your data without that second authentication factor. It’s also a highly user-friendly and flexible method of security, typically offering multiple options for verification.

Passphrases instead of passwords

Passphrases are longer, easier-to-remember phrases, or sentences used for authentication. Unlike complex passwords, which rely on a mix of letters, numbers, and symbols, passphrases are composed of everyday words strung together. This makes them easier to recall while remaining highly secure.

Passphrases are an effective defense against brute-force attacks because their length and unique combination of words make them harder to crack. Instead of trying to remember strings of characters, users can create passphrases from memorable sentences, adding a user-friendly dimension to password security.

Better end-user education

Instead of relying on complex passwords, comprehensive security training could offer a more robust solution. Educated employees become the first line of defense against modern threats, such as social engineering and phishing attacks, as learning to recognize and thwart these attempts significantly reduces the risk of account compromise.

When employees understand the importance of strong security practices, they’re more likely to adopt and maintain secure habits. This proactive approach enhances overall security by instilling a culture of vigilance and responsibility, making it a valuable complement to any cybersecurity strategy.Need better ways to secure your data? Reach out to our experts at SpectrumWise today for the latest solutions in cybersecurity, including awareness training, managed services, and security assessments.


Contact Us

"*" indicates required fields

This field is for validation purposes and should be left unchanged.