Passwords used to be a very solid layer of security... decades ago. Today, passwords are a necessary evil, but unlikely to actually stop an attack in progress.
This is for a variety of reasons, including the following:
1) Many users are running with elevated rights, if a system is compromised it is easy for the malware to proceed to go the route of privilege escalation to get where it wants.
2) AD Credentials are easily cracked by dedicated attackers! This has been true for some time, but was a part of the SolarWinds Hack last year, where attackers used a supply-side attack to compromise the network, then easily gaining access to administrator credentials.
3) While 2 factor authentication helps the process, often it is a means to gain access to passwords due to the frequency users lock themselves out. This means another avenue of attack. 2 Factor authentication is another hurdle for the dedicated attacker, useful, but not really that strong in the long term.
Where does that leave us in regards to passwords? Well, they have value for attacks of opportunity. Someone walking by a desk trying to access things they shouldn't before the user gets back to their desk. Or an attacker who is would simply attempt to randomly assign entry passwords through a connection online.
But... and this is the primary point... passwords amount to more of a "Please don't enter" rather than a strongly enforced one.
So, what can you do that provides real layers of security along with a password?
You should be using various anti-malware technologies, as well as utilizing network security of some kind. You should protect your users through some form of DNS layer protection (London Security recommends Cisco's Umbrella), and should strongly consider using an MDR Solution to review events and attacks when you don't have engineers available.
As of Q1 this year, London Security has partnered with Blackpoint Cyber to provide strong protection 24/7/365. We recommend reaching out to us today to talk about how to better protect your security environment beyond just using a password and 2 factor authentication.