World Password Day reminds us: It’s time to rethink access security

Strong passwords are essential, but they're no longer enough. 

In today's threat landscape, the combination of a password manager and Multi-Factor Authentication (MFA) must become non-negotiable across all organisations. Password managers reduce the risk of reuse and human error, while MFA significantly decreases the chances of unauthorised access, even if credentials are compromised.

Threat actors know that many businesses are falling short in implementing these security essentials. In the first three months of this year, Rapid7's Managed Threat Hunting team observed a significantly heightened number of password spray attacks aimed at discovering and compromising accounts not properly secured by MFA.

The message is clear: MFA must be implemented, tested, and enforced wherever it's available. And even when it is, organisations must address emerging risks like MFA fatigue. Rapid7's Managed Detection and Response (MDR) team has observed a rise in push notification fraud, where attackers exploit inattentive users. To combat this, many MFA vendors now offer number matching, which helps users verify prompts before approving them.

On this World Password Day, let's remember that passwords are just the first line of defence. If key systems don't support MFA, organisations should be pushing suppliers to make it a roadmap priority. 

Security isn't static. It requires ongoing vigilance and evolution.