Passwords have been the primary gatekeeper of digital security for many years. We’ve been told to make them longer, more complex, harder to guess; add symbols, numbers, change them every so often and you’ll be safe, so the received wisdom goes. However, for all these changes to password rules and recommendations, many cybercriminals are getting in simply by logging in using weak or reused passwords.

This remains perhaps the easiest way for criminals to access systems and accounts. What happens when a large organisation suffers a data breach is that millions of usernames and passwords often end up for sale online.

Automated tools are then used by attackers to test those credentials against e-mail accounts, cloud platforms and other business systems. If one of these passwords — even one that appears strong — has been reused, the door is wide open, and hackers can walk right through it.

Many cyber incidents therefore begin with compromised accounts, not technical failings. There’s no need for an attacker to force entry when they have valid credentials they can use instead. Once they’re logged in, they can move through systems entirely unnoticed, gain access to sensitive information or launch further attacks from a position of trust. Ultimately, this is about access control: organisations can only protect what they can properly control, which starts with how identities are verified.

A lot of businesses respond to security breaches by tightening their password rules further, making them longer or more complex and mandating more frequent password changes. But even a complicated password offers no protection once it’s been stolen, nor do phishing attacks care how many characters or symbols it contains. In fact, excessively strict rules can be counterproductive, leading people to reuse passwords or write them down — precisely what you don’t want them to do — as well as fostering a false sense of security.

This is where multi-factor authentication, or MFA, is so valuable. It adds an extra step to the login process, such as a code sent to a phone, a biometric check or a prompt in an app, which the user must provide before being granted access. This means that even if a password is compromised, an attacker will not be able to log in if they cannot provide the code, biometric data or prompt. This does not make systems invulnerable, but it does dramatically reduce the risk of being compromised.

There are still some who see MFA as inconvenient or unnecessary. In reality, though, it’s already part of everyday life. After all, we commonly use it from day to day when logging into our online banking, social media or major e-commerce platforms. Staff must be reminded that MFA is there to help protect their identity and prevent their account from being used as a gateway to the wider organisation. It is a proven and effective way of confirming that the person trying to log in is who they claim to be.

But solutions like MFA only constitute one piece of the security puzzle. Protecting credentials and accounts requires people to understand how attackers operate and how security measures protect against them. Regular staff training is crucial here. Simple steps such as using password managers, knowing how to spot suspicious e-mails and when to question a login attempt can all make a big difference. When employees know their cybersecurity responsibilities — and the logic underlying them — it becomes much easier to ensure that safeguards are consistently upheld.

It would be an overstatement to say that passwords are totally obsolete. But they are no longer enough on their own. Modern cybersecurity depends on stronger access control and better authentication. The real question facing businesses in Bermuda today isn’t whether their passwords are complex enough, but what would stop an attacker if those passwords were to fall into the wrong hands.

• Louise Ralston is the chief operating officer of Cyber Tec Security, a cybersecurity specialist business providing cyber certification-led resilience and adherence to regulatory compliance