Password Management

January 14, 2021

January 14, 2021

Passwords are synonymous with security; managing these digital keys has become exponentially difficult and insecure. How many passwords can a human remember? Three, five, ten; maybe on a good day. Now consider the number of passwords used in both your professional and personal lives, the number of logins grows astronomically. Let's discuss keeping track of them, how to manage them, and some ways threat actors use a stolen password to take over other accounts.

How do you keep track of your passwords? A spreadsheet, post-it notes, a little black book, or some variation of a single password? These passwords are keys to your digital kingdom. Analog methods (post-it notes, your little black book) are options to house passwords, so is a spreadsheet. Unfortunately, we should think of the oh sh*t moments; what happens if you misplace it, your child decides they need paper for their latest creation, your hard drive decides it's a great time to die? Some of you are thinking, but Google has my back, I save it to the Chrome browser. Google only recently started to encrypt the password vault, and in December 2019, they did release a function to check if your credentials were compromised; the only kicker is that you have to log in to that site to get the warning. Check it here.

Third-party password managers are a better option. They provide features like integration to your identity management tools (Active Directory), security checks for weak passwords, and a strong password generator, to name a few. The management tools have reporting functions to show compromised and reused passwords (more on this later). They can include easy to use functions like autofill and auto-capture ability to make using and adding new passwords a breeze. These are great, but what about the scenario of the child with a creative sense? Most managers will have cloud-based offerings that are encrypted and only accessible by the organization/you, meaning if they have an incident, your passwords can't leak out since they are encrypted. The third-party doesn't have the encryption key. Creating a super-strong master password provides this level of security. Options on password managers to consider are here

As a business password manager, think about who will manage it for you. Will someone be knighted the Baron or Baroness of password land? That person will need to have strong interpersonal skills to change the organization's culture and keep adoption on track. Also, does it offer a discounted or free option for employee personal use? The personal use option will help in hardening your users and build up the security culture of the organization. Threat actors may not be able to steal the credentials of your organization, but if they take out a key person with identify theft, it can be just as bad. Another option is to see if your technology partner can assist with managing the software that doesn't require having access to the passwords.

Speaking of passwords or reuse of passwords, let's discuss credential stuffing and password spraying.

  • Credential stuffing is a method threat actors use to take a stolen password and your email(s) and attempt to stuff them into as many popular sites to see if the combination works.  Maybe you're still using the same password you used to sign up for Facebook 6 years ago, your password mycutepuppy? And maybe you've been reusing the same password since then for all your social, shopping, and business needs? Unfortunately, bad actors now have access to your Amazon shopping, Twitter, and Office email, etc. accounts. This can spin off into multiple areas of either business compromise or identify theft.
  • Password spraying is similar, but threat actors will attempt to use a common password across multiple sites using your email address(s). A password manager can help report and identify where the potential compromise lies and provide a method to check for websites that have had their database stolen.

Password management can have low-tech methods for keeping track, but they cannot recover if they are lost, stolen, or have a hard drive crash. Third-party managers provide a wide range of tools to identify weaknesses in your organization's passwords, report for compromise, and ways to remove the reuse of passwords. These features help to minimize the ability of threat actors successfully using credential stuffing or password spraying techniques.

If you're considering implementing a Password Management strategy or solution and have additional questions, don't hesitate to reach out to us!

Tags: Data, Password, Security, Technology