Whenever we speak to clients about their passwords, they always groan about the number of passwords they have to remember these days. Most report that, even though they know they shouldn’t, they wind up using the same password everywhere, or a variation of the same password on each site. A 2017 survey, by Keeper Security found that up to 87% of respondents 18-30 reuse their passwords on multiple sites, that number drops to just 81% for those 31 years and older. This is a problem that we need to solve, as it increases our vulnerability to an attack exponentially.
A client called a few weeks ago; he thought he had been hacked. The hacker had sent him an email, informing him that he had one of his personal passwords, he provided it to him in the body of the email to confirm the email was authentic. The attacker went on to explain that he had compromised his PC over a remote desktop connection and had gotten into the webcam and recorded video of the client doing some nasty things; he would send this video to his entire contact list if he did not pay him an amount in bitcoin. This client was particularly tech savvy, and would have deleted the email as spam if it had not contained one of his own personal passwords. It didn’t take us long to realize that the attacker could not have compromised his systems in the way that he had claimed. The next day a news story about the email, which had circulated to many people, was seen on TV. Our client had deleted the email and no one on his contact list ever received anything… This client was lucky, he already had an encrypted note of all of his passwords organized in a program, and was able to go down his list and change all of his passwords. Many clients would not be so lucky.
The hacker had obtained his password via an old security breach, in which the data had been dumped on the dark web. Thousands of passwords that had been compromised from a specific site, and our clients' was one of them. So, if you have been using your passwords for years… and only varying them slightly… it’s entirely possible that they are out in the open waiting to be exposed to an opportunistic hacker. This is the best argument I have ever heard for regularly changing your passwords.
The issue is, we are not robots. While we are all aware of the security advantages of having a different 42 digit alphanumeric password, which contains both upper and lower case letters and symbols, and is different for each site that we use, the problem is that this would be impossible for us to track. It is however, absolutely essential to ensure that our services stay secure. A 2017 Verizon Data Breach Report indicated that 81% of hacking-related breaches leveraged either a stolen and/or weak password. The best answer we have for this problem is a password manager.
As soon as we say this to anyone, the first question that they ask is “What if the password manager gets hacked?” That’s a good question. Even password managers are not perfect, we have to be careful in selecting one, and take a hard look at not only the software but also the company that created it and how they deal with breaches (1Password is our Password Manager of choice). Most password managers are very well hardened against security breaches, the data is encrypted in the cloud and only readable from your PC/Mobile Device with the encryption key and your password (which should be sufficiently complex since it’s the only one you will have to remember going forward). We should design our business practices and habits to assume that our passwords will be compromised, and a password manager serves us well here as well; keeping an inventory of all the places online where we are vulnerable, and a record of current and past passwords for all of our services. They warn us when accounts are compromised or duplicated passwords are in use. This manager also tracks which employees had access to which passwords and which passwords need to be changed when an employee leaves the company.
Having said all of that, the best security strategies are ALWAYS multi layered in their approach. For the second layer of your password management strategy, I highly recommend adding two factor authentication. Two factor authentication exists on most major online services, such as G Suite and Office 365, and just needs to be enabled. But for your PC, and to help protect your password managers information, we use a service called Duo. Your first layer of authentication is something you know; your password, and Duo allows you to add a second layer of authentication; something you have. It allows your PC to authenticate your log in, via a push message to your smart phone, after you’ve entered your password. Duo also integrates with our favorite password manager directly to add a second factor of authentication for 1password logins. This software not only makes our networks more secure, by ensuring that two factors are used when we log in to our PC’s, but can also give us the heads up that one of our passwords has been compromised. If you start getting authentication requests to your phone for an account that you didn’t initiate, you should immediately change your password.
Implementing these business practices can be a complex and time consuming task, but one that is well worth the peace of mind
If you would like to implement password management and two factor authentication for your company, please give us a call @ 587-400-9573 or drop us an email at firstname.lastname@example.org.