The Snowflake breach tells us that passwords aren't enough
Are we ready for a passwordless world?
Snowflake Inc. is a US-based cloud storage provider that supplies some worldwide organizations with data servers. Some of its clients include banks, supermarket chains, mobile operators, and more. Hundreds of Snowflake customers have been the target of a serious hack about a month ago, which experts believe may turn into one of the biggest data breaches ever.
Ticketmaster and Santander are some of the big names to have been affected. Cybercriminals allegedly used stolen login credentials to illegally access companies' accounts, with hundreds of Snowflake customer passwords reportedly found online.
While all the collateral damages aren't yet clear at the time of writing, we do know something—passwords alone aren't enough to secure an account nowadays. Snowflake itself is now urging all customers to enable MFA (multi-factor authentication) and I'd suggest investing in one of the best business VPNs, too. Is it finally the time to enter into a passwordless world?
Less password, more security
The obvious elephant in the room here is that it's very common for people to reuse the same password across their different accounts. Let's face it, we all have been guilty of doing this. Hackers are aware of this bad habit and keep exploiting it to their advantage.
Cybercriminals might launch phishing attacks to try to inject info-stealer malware and, well, steal your credentials. It may be also the case that a small website you don't even remember making a profile on gets hacked at some point.
Once stolen login details are collected, attackers use a tactic known as "credential stuffing," for which they enter thousands of these stolen passwords and email addresses across various platforms on the lookout for a potential match. It just needs someone to reuse the same password to give hackers full access.
"Passwordless is definitely an answer there," Julianna Lamb, CTO and co-founder of identity company Stytch, told me. "If you require two-factor authentication (2FA) on every account, that's going to go a long way."
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
2FA or MFA is an identity and access management security tactic that requires two or more forms of identification to access your account. This might be a one-time code sent in an SMS, a magic link sent to your email, a biometrical print, or clicking on a specific app on your device.
"We're pretty excited about passkey as an option," said Lamb. "It's super easy from a user experience perspective and pretty much unphishable because it's tied to your specific device."
Introduced a couple of years ago, passkey has revolutionized the field of passwordless solutions. It makes the switch from creating and memorizing strong passwords quite a low effort, in fact, as users can simply sign in with a biometric credential (such as a fingerprint or facial recognition), PIN, or pattern.
Better secure authentication tech coupled with a steep rise in phishing attacks and data breaches alike—a 12TB database containing more than 26 billion records was also leaked in January in what's dubbed the mother of all data breaches—may translate in more companies saying goodbye to passwords for good.
"I think you are going to see a lot of companies investing more in their authentication. Basically, forcing 2FA and stopping relying on users being good stewards of their passwords," Lamb told me. "It's clear that relying on individual users to have good secure passwords is not the right answer."
How to protect you online accounts
While a passwordless world looks increasingly closer, the change cannot certainly happen overnight. So, while all companies providing online services are working on implementing better security standards, it's still on us some of the burden to protect our personal accounts at best.
As a rule of thumb, Lamb said, you should always assume a password has been breached. That's because you simply cannot trust that it hasn't been yet.
She then urges everyone to activate at least a two-factor authentication solution whenever possible. When doing that, she suggests to pick factors that are truly different to each other. This might be an authenticator app based on your smartphone and one other factor tied to your email address.
"You should make sure they truly are separate and you are not relying on just one type of factor," Lamb told me. "I think people sometimes forget that the point is to have multiple things you have to access to your identity."
When it's not possible to set up a passkey, you should make sure to always have unique passwords across all accounts. Password manager tools help you create and store strong passwords.
While there are standalone products, some of the best VPN services around even include such a feature on their VPN app at no additional cost. These include NordVPN, ExpressVPN, and Proton VPN.
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com