PASSWORDSBy Evan Fagan

How many passwords have been breached?

Password breaches seem to be an alarming, almost weekly, occurrence. Hundreds of millions of passwords have been stolen in recent years.  This should cause significant concern among businesses all of whom rely on password systems to access critical business information. Compromised email accounts and passwords represents a significant risk due to the high rate at which users reuse the same password for all their accounts. In an article from security technology company Sophos, 55% of internet users reuse the same password for most, if not all, of their online accounts. From critical financial software and banking, to your lifetime of email, the same password used everywhere is what hackers are banking on (literally!).

Mature cyber-aware companies require employees to use strong and unique passwords on every account however, they often do not provide tools to make this possible! Employees find it very difficult to remember ten to fifteen character passwords that are also highly complex and unique. This is an unrealistic expectation given most people have an average of 200+ accounts to work with.  Most folks simply ignore this password policy requirement and reuse passwords – everywhere!  There is, however, a simple solution to this problem: users need to start using simple Password Managers.

The Simple Solution: Password Managers

Password Managers store, manage, and track usernames, website URL’s, and passwords in an encrypted database protected with one Master Password. Password managers run on desktops, laptops, in website interfaces, and even on IOS and Android smartphones.  They sync passwords entered on one device to all the others.  Common examples of robust and secure password managers include LastPass, RoboForm, Dashlane, and 1Password. They all store encrypted versions of passwords but also offer other productivity enhancing features including:

  • automatically launching website URLs and then fill in your username and password;
  • all encrypt your usernames and passwords, but they also encrypt text notes as “secure notes”
  • all password managers generate strong randomized passwords for use
  • most provide online training videos and tutorials to get you started in adopting this technology
  • LastPass offers Enterprise features unique and appropriate to businesses allowing for:
    • separate personal password entries from business entries enabling business passwords to be deleted independently from personal passwords after a termination
    • sharing passwords between employees where authorized or in an emergency
    • enforcing mandatory complexity on Master Passwords, Resetting of Master Passwords, and unlocking of LastPass after failed login attempts

PASSWORDSWhat happens if the Password Manager or its website is Hacked?

Security experts agree that because Master Passwords are Salted, Hashed, and Stretched, the worst that can happen in a breach is you having to change your Master Password.  Master Passwords cannot be brute forced because of the cryptographic protections applied to them before being stored for authentication.  If all companies did this, password breaches would be a thing of the past. Furthermore, the alternative model, where you reuse your password all over the Internet, is far, far worse!

Conclusions

Password managers are an essential component of a strong cyber security program.  They enable employees to comply with a robust password policy requiring strong, unique, and complex passwords.  Providing training on how to use a Password Managers is a key to successful deployment.  Password Managers are an absolute necessity when trying to secure your business and its critical information.

Contact Neoscope (cybersecurity@neoscopeit.com) if you’d like more information on our Password Management solution and how it can help your business become more secure and efficient!