Premise: the world of information security is trying to overcome the era of password management. The reason is simple: according to a Verizon study, 81% of corporate data breaches occur due to poor passwords, which we could translate as “vulnerable passwords.” Furthermore, data breaches are costly: 4.24 million dollars on average, according to the latest report from IBM.
Table of Contents
Towards the password-less universe
Considering passwords’ impact on information security, a company’s regulatory compliance, the costs it incurs, and possible penalties, it is understandable why analysts consider “password-less” one of the significant trends in contemporary security. We have visibility of it daily, given that access to many smartphones and PCs now occurs with biometric authentication mechanisms such as fingerprint or face recognition. As in all of the technological universe, these systems will not be 100% secure, but they are certainly more so than typing a few characters into a form. Also, password-less does not exclude but adds to multi-factor authentication and single-sign-on (SSO) dynamics in business contexts.
The password, or rather a considerable risk
If password-less is undoubtedly the future, password management is still the present and one of the main risk factors for cyber security. Companies are increasingly adopting single-sign-on (SSO) mechanisms, which allow access to various systems through a single access point supported by all the latest security technologies.
Single Sign-On (SSO) reduces the fragmentation of accounts and related passwords, enhancing the corporate security posture. At the same time, it inevitably represents a single point of failure. If the bad guys were to get hold of the access credentials (e.g., through the hacking of the identity provider), they could act undisturbed in many systems.
It is not your responsibility to protect your identity provider, but it is to keep your login credentials secret. The password can be acquired with a specific attack (e.g., brute force) but also through a phishing campaign, where in fact, it is the user who delivers it to the bad guys. To this end, companies should always invest in security awareness, i.e., in courses, platforms, and simulations of cyber attacks, to educate their staff on security risks and develop some healthy “distrust.”
4 good password management tips
As in almost all areas of computer security, password protection is also a mix of best practices and protection tools. Today as never before, with exponential growth in cybercrime, following traditional advice has become essential to avoid exposing yourself and your company to high-risk situations. Here are some valuable tips:
Unfortunately, some online account is often compromised, and the credentials appear on the dark web. The typical reaction of people is indifference unless accounts with payment data or highly confidential information are hacked.
Unfortunately, people use the same login credentials for different services and accounts. The bad guys know this and, having acquired one username/password pair; they use it to access commonly used systems such as Google or Amazon accounts. Furthermore, they consult social networks to find out where their victims work and try to access company systems from the outside.
Given that often the user ID is his email, changing the password for each account is imperative, even if this makes it more difficult to remember.
Very often, passwords are detected through brute force attacks, which attempt all possible combinations in succession until the right one is hit. The longer and more complex the password, the more difficult it is for the attempt to succeed. Words with complete meaning should be avoided as much as possible since the bad guys usually direct their attempts toward them (it is the so-called dictionary method, which reduces the times of the attacks).
The advice here is simple: you need to adopt strong authentication wherever possible, with the only foresight to avoid sending the OTP codes via SMS because they can be intercepted. I prefer biometric authentication.
Frequent password change
Although it is an established practice, the simple act of cycling the password gives no guarantee of protection unless the password has been compromised. In the latter case, it must be changed as quickly as possible.
In the absence of compromise, it is advisable to use a strong password and keep it rather than replace your own regularly. This last activity, as said rather commonly, leads people to use weak passwords because they are easy to remember and always to alternate the same ones, which certainly does not represent a security best practice.
In (very) dated systems that do not allow the use of complex passwords and do not implement modern protection dynamics, periodically replacing the password may make sense, but in all other cases, the real protection is obtained differently.
Better managing passwords: the era of password managers
The only downside to managing different passwords is the extreme complexity that comes with it. On the other hand, an article by Troy Hunt from 2011 clearly stated: “The only secure password is the one you don’t remember.” And it is precise to this that we owe the great success of password managers.
People have hundreds of accounts on average, and if they followed security best practices to the letter, they’d end up with just as many complex, meaningless, and all different passwords. Excluding the hypothesis of manually reporting them in an Excel sheet (which should then be protected), one can rely on systems explicitly created for password management: password managers.
The password manager is a tool that safely stores, using cryptographic techniques, the passwords of all user accounts and simplifies (or automates) their entry into the login forms. Instead of remembering hundreds of highly complicated passwords, users only need to remember one, the password manager’s master password, which effectively gives access to all the others. Some benefits:
- For each new account, the password management system proposes unique and highly complex text strings, which it then stores securely;
- You can adopt all security best practices in a simple and, above all, comfortable way;
- Often it doesn’t just store the password but allows you to extend the information with other data such as telephone numbers, personal details, and personal data ;
- Password managers usually use an online form filler system synchronized with the browser. This way, the password doesn’t even have to be copied and pasted;
- They are based on state-of-the-art cryptographic techniques ;
- They protect against phishing because if the site requesting the password is not the same one where the data was initially stored, the system does not proceed any further;
The most popular password managers: personal and corporate
Most people deal with password managers built into web browsers. You recognize them when, after registering a new web account, they ask whether or not to memorize the password, and then, later, they automatically enter it in the forms. The most common are:
- Google Chrome
- Microsoft Edge
- Safari for macOS
Among the stand-alone applications:
Market leader tools are ubiquitous in the Mac environment, even if available for all operating systems, and equipped with extensions for Chrome and Firefox. To protect customers’ passwords, it adopts advanced technologies such as 256-bit encryption and, through continuous consultation with the Have I Been Pwned site, warns the user of potential compromises of his passwords.
Bitwarden is a free password manager with paid premium versions whose source code is public on GitHub. The tool is also full of browser extensions and offers a nice aesthetic and 256-bit encryption.
LastPass is one of the most used and widespread password managers ever. Its plans meet the needs of individual users but also companies that need to protect the passwords of all employees. Among its peculiarities is access without a password and monitoring of the dark web to detect any compromises of stored accounts.
Dashlane has a personal and professional version, and the latter is fully integrable with corporate information systems and rich in security tools and customizable control dashboards.