Single Password Authentication should be banned:  Here are 5 reasons why.

I use passwords a lot. I have different types of passwords. From strong, mega strong, and paranoid strong. Some I can remember some I can’t. It drives me mad sometimes.

Whether you like passwords or not single-factor authentication (SFA) also called single-password authentication, remains one of the most common amongst the first line of defence used by various online systems to protect against unauthorised access to applications and data.

Single-password authentication is one of the top-ranking attack vectors used by cyber criminals to break into online systems, opening up the threat landscape to cybercriminals and exposing businesses to manage financial, legal and reputational risks.

My view is that single-password authentication should be banned worldwide. All publicly accessible online systems that rely on single-password should be forced to use at least one form of strong multi-factor authentication (MFA). In this article I cover 5 reasons why.

The growing threat of Phishing, Ransomware, and Advanced Persistent Threats:

With the rapidly growing number of sophisticated cyber-attacks such as Phishing and Ransomware, single-factor authentication has had its day. One way to fight back against the rising cyber-attacks is by using strong multi-factor authentication. It must be widespread and used as the most basic type of authentication mechanism. Unfortunately, many service providers and organisations still rely on single-factor authentication as their preferred authentication mechanism for online systems connected to the Internet. This is very bad. This is how businesses are exposed to risks unnecessarily.

Here are 5 reasons why.

1. Humans are naturally ‘lazy’ when it comes to passwords

When we are challenged to create a password, we often choose something that we can remember easily. That usually leads to a weak password. Using password generators software such as LastPass or Norton Identify Safe can help to create very strong passwords. However, various online systems still do not enforce strong password policies which means users can get away with creating very weak passwords.

2. Computing power is increasing dramatically. Password-cracking tools are getting more powerful

With the dramatic increase in computing power, password-cracking tools are now widely used by cyber criminals. Such tools are used to guess and break passwords very quickly using brute force computational algorithms. And with Quantum Computing, this power will increase exponentially allowing password-cracking tools to break even the strongest password in a very short period of time.

3. Some service providers still store unencrypted passwords

We hear in the news every day about various online systems breached and personal information stolen. One such case was Facebook in March 2021 where 533,000,000 user records from 106 countries were posted on a hacker forum. The leaked information included user locations, full names, biographical information, phone numbers, and email addresses. This information was discovered when a user in the hacking forum promoted an automated scraping bot that could extract phone numbers for hundreds of millions of Facebook users.

4. Password renewals frequency

One way to keep your password safe is by changing it on a regular basis. Various online systems are enforcing this mechanism to strengthen security. However, forcing users to change password at short frequency leads to password fatigue. Unless strict passwords policies are enforced, users may often re-use previous passwords for convenience.

5. Password fatigue

Too many passwords. Too many online systems. Users are feeling the password fatigue. Many organisations are increasingly implementing Single-Sign-On (SSO) to allow users to login once using a single-password and then gain access to several online systems using a chain of trust. However, if the initial password used to gain access is weak, the overall system is also weakened in the process.

Conclusion

With the increasing number of cyber-attacks against all types of organisations worldwide, single-factor authentication (SFA) also called single-password authentication remains one of the most widely used mechanisms to protect various online systems against unauthorised access.

Relying on single-password authentication alone is bad practice.

I argue that it should be banned completely.

All online systems accessible from the Internet should be forced to use strong multi-factor authentication (MFA). This will greatly reduce the rapidly growing number of cyber-attacks worldwide and help mitigate the risk exposure of businesses.