A strong password isn’t enough to secure your account

Author: Jon Hunt, cyber security service delivery manager

Criminals always find a way to take advantage of disasters.

There has been a surge in phishing emails and online scams during the pandemic by criminals seeking to defraud us of our usernames and passwords. This is one reason why it’s so important not to use the same password across multiple accounts.

A great way to provide an extra level of security over and above strong, unique passwords is to employ multi-factor authentication (MFA). This is where you use something in addition to a username and password to log in. With MFA, even if criminals manage to get hold of your username and password, for example, via a phishing attempt, they still can’t log in without your ‘second factor’.

The second factor may be an authenticator app on a mobile phone or a security key that plugs into a USB port. There are many multifactor authenticator apps to choose from, such as the Google Authenticator or the Microsoft Authenticator. Attackers that can’t access an account because of MFA are far more likely to move on to one that doesn’t have it, rather than spend time attempting to bypass or remove it. Also, implementing MFA heightens the security awareness of all users, which is of benefit to everyone.

Lockdown exposure

The current separation from colleagues and peers has made people more vulnerable to cyber scams. It’s also likely that many of us will continue to work remotely for at least some of the time going forward. When working remotely it can be harder to check things, as we can’t pop across the office to say, “Did you send me that email?”. It’s easy to make a mistake when there isn’t anyone else around to ask for immediate advice or reassurance. And mistakes can be very costly.

One of the biggest security threats is account takeover. For example, if hackers gain access to an Office 365 account, they can exploit it to send malicious emails by impersonating legitimate senders. They will also be able to access data and information stored in OneDrive or SharePoint too.

Which accounts are being targeted?

There’s a common misconception that hackers are only interested in high-value accounts, such as those belonging to chief executives and finance directors, or as recently reported, researchers working on COVID-19. These people are likely to be specifically targeted, but most of us are more likely to be victims of automated, opportunistic attacks carried out on an industrial scale.

Assuming no one will be interested in your account is a dangerous assumption. Have I Been Pwned is a free tool that allows searches across information exposed in multiple data breaches to see if your email addresses and passwords have been compromised. Criminals use the credentials from data breaches for activities such as credential stuffing, where they attempt to log in to a range of services using the same username and password combination. This relies on people’s tendency to reuse the same password across multiple accounts. Password managers and MFA provide important protections against such attacks.

Convenience vs security

It’s important to balance convenience with security. Being able to log in with just a password from anywhere at any time is very handy, but remember criminals can too if they manage to obtain your username and password. The fundamental issues with passwords are that most people are not good at choosing strong ones and tend to reuse passwords.

Astoundingly, the most popular password of 2019 was ‘123456’, and ‘password’ appears at number four. Password managers can help here by choosing and storing strong passwords for you, but they must be set up carefully and protected with a very strong master password. MFA provides important additional protections too. It’s not infallible, but criminals are more likely to move on to another account than attempt to circumvent MFA.

Things to remember

Use a separate, strong password for every account and turn on multi-factor authentication wherever it’s possible to do so. Whether for work-based or personal accounts or apps like Amazon and WhatsApp, which offer it as an option.

When introducing this idea to staff, explain the why. It’s not enough to tell users what to do, and it’s important to inspire them to change their behaviours by demonstrating the impact and value of that change and how it can help them in their personal lives as well as at work.


For advice on how to build solid security practices within your organisation, sign up for the free Jisc security conference taking place online 9 – 11 November 2021. Keeping your organisation safe and secure is our top priority.

To learn more about how Jisc can support your organisation with cyber security, visit jisc.ac.uk/customers


Leave a Reply

Your email address will not be published. Required fields are marked *