We live in an era where the amount of valuable data businesses must store is increasing at an unprecedented pace. Consequently, the number of cyber criminals trying to gain access to that data is also increasing. In fact, according to a report released last year by Osterman Research, 81% of organizations have been the victim of some type of data breach, targeted email attack, successful phishing attack or other cyber security incident during the previous 12 months. And with the surge of people working from home due to the COVID-19 pandemic, these numbers are only going to go up.
The problem is made worse by the fact that many people do not follow recommended login security and password complexity guidelines. A recent report, “The Psychology of Passwords” revealed the following statistics:
- 91% of people use the same password on multiple accounts
- 66% continue to use the same password, even if they're aware of the risks
- 53% haven't changed their passwords in a year
What’s even more shocking is the fact that many people continue to use weak passwords. Did you know that even today, one of the most common passwords is 123456? This practice of using passwords that are easy to remember makes them vulnerable to dictionary attacks, which use lists of commonly used passwords that have been organized by popularity. These practices work quite well because people tend to use common words, first and last names, or short phrases that are easy to remember.
IT administrators can alleviate some of these bad practices by implementing and enforcing password policies. This includes requiring strong passwords and regular password changes (here’s how to do it in the MDaemon email server).
Even these practices are evolving as evidenced by the National Institute of Standards and Technology and its password guidelines .
Why Passwords Alone May Not Keep Your Email Safe
Hackers have some pretty sophisticated tools at their disposal for attempting access to confidential information. They use a variety of tactics, including phishing, social engineering, malware, brute force attacks and dictionary attacks. They may even use near-match spoofing of domain names in email addresses or hyperlinks that, when clicked, lead to malicious websites with online forms designed to harvest usernames and passwords.
To make matters worse, chances are that strong password you thought was secure may have already been stolen in a data breach. A good resource to learn if your password has been compromised is Have I Been Pwned (spelling is correct) to see if yours is on the list.
Passwords are not just vulnerable to external threats. They must be protected from internal threats, as well. Have you ever written down a password on a piece of paper and then thrown it in the garbage or discarded an old hard drive without destroying it? Do you keep a list of login credentials on your phone? If this information gets in the wrong hands, it can lead to all kinds of problems, including identity theft or severe financial loss for your employer and damage to its reputation.
How to Protect your Email from Hackers with Two-Factor Authentication
One of the best ways to overcome the shortcomings of passwords and prevent someone from hacking into your email is to use two-factor authentication (2FA). Here’s how it works:
Passwords and usernames belong to one of three types of identification data:
- Something you know
- Something you own
- Something you are or do (such as a fingerprint or other biometric element)
The three items above are considered factors of authentication. When only one type of data is used to log into a system (such as a username and password, which is “something you know”), you are using a single factor of authentication.
Passwords alone are often not enough to protect your email and data against increasingly sophisticated attacks. Requiring a second factor of authentication can help protect your account from hackers and drastically reduce security breaches and data theft.
Two-factor authentication is not a new concept. In fact, most of us already use it in other ways besides accessing our email. Here are some examples of two-factor authentication that many of us already use daily:
- An ATM card (something you own) and a PIN (something you know)
- A credit card (something you own) and a zip code (something you know)
- A phone (something you own) and a fingerprint (something you are)
How to Configure Two-Factor Authentication in MDaemon Webmail
Two-factor authentication is available in many email services, including MDaemon's integrated webmail. With two-factor authentication, users must provide two forms of authentication – a password and a unique verification code that is obtained via any client that supports Google Authenticator (available in the Google Play store).
In this video, we demonstrate how to enable and use two-factor authentication in the MDaemon email server and its webmail.
Two-factor authentication has many benefits:
- It provides an extra layer of defense when a password isn’t strong enough.
- It reduces online identity theft, phishing, and other social engineering tactics because a victim’s password isn’t enough to gain access to his or her data.
- It helps companies in finance, health care, and other industries comply with PCI, HIPAA and other regulations.
- It makes working remotely safer.
You can find more information on how to configure two-factor authentication for MDaemon Webmail and MDaemon Remote Administration in our knowledge base.