How to keep your secrets safe: A password primer
There are two types of businesses in the world: those that have been targeted by criminals and those that have been targeted and don’t know it yet. Criminals are relentless.
Today’s cyberattacks have evolved into high-level espionage conducted by robust criminal organizations or nation-states. In the age of Software as a Service (SaaS), corporate data is stored in the cloud rather than on-premises. Using sophisticated cloud-scanning software, criminals can break into an organization’s systems within seconds of going online. And the cost of a data breach can be enormous.
As a crucial first line of defense against hackers, passwords have been used since the dawn of the internet and I believe they will be used long after I retire.
However, the majority of business-related passwords do not meet minimum security requirements – and the number of companies lacking multi-factor authentication tools or corporate controls is overwhelming.
As a password cracking specialist, I help lead IBM’s X-Force Red, an autonomous team of experienced hackers within IBM Security that helps organizations discover and identify critical vulnerabilities for cyberattacks. Our mission is to “hack everything to secure everything”.
One thing I know for sure: your company system is being hacked. Password breaches are on the rise, and the vast majority of corporate breaches can be traced back to poor password security. So how can your business protect itself?
Strong password hygiene paired with an enterprise password manager backed by corporate policies and multi-factor authentication reduces your risk. And in the cloud age, every connection, every device, every user must be equipped with Zero Trust security at all times.
To improve password security, reduce user friction
Why are weak passwords so common? As online accounts multiply, password fatigue is on the rise. To make life easier, many people repeat the same easy-to-remember password across multiple accounts. These weak passwords are easily cracked, creating security holes that allow cybercriminals to access company, employee, and customer data.
Whether passwords are stolen through phishing, malware, or brute force attacks, they give criminals access to valuable corporate and/or personal information. This stolen information can be sold on darkweb marketplaces, where it can be used to launch multiple ongoing attacks related to the original breach.
A password manager can prevent problems before they happen by automating password resets and preventing unnecessary Active Directory locks—reducing user friction and lost productivity. When integrated across systems and accessible even outside of employees’ corporate resources, it can add real business value. Yet only a fraction of companies buy an enterprise password manager and cite cost as a factor.
I believe the upfront cost of a password manager needs to be weighed against the losses associated with a breach and the associated user productivity. For example, when users are locked out of their computers — and don’t have a company phone to perform two-factor authentication (2FA) — there is an immediate loss of productivity while they call the helpdesk and wait to be unblocked.
Start with good password hygiene
A good password offers an easy way to protect yourself from most cyber threats. Let’s look at password habits that can minimize the impact of password vulnerabilities and improve the security of your organization.
- go long Use a 12-16 character string of numbers and special characters. Upper and lower case letters, symbols and non-dictionary words. A brute force attack would take several years to crack such a password.
- A no-repeat policy is best. 52 percent of all internet users admit that they use the same password for many accounts. A breach can jeopardize your company’s security.
- Change passwords often, especially after a successful attack. And don’t share them with anyone or write them on sticky notes.
- layer protection with two-factor (2FA) or multi-factor (MFA) authentication, ideally paired with a dedicated authenticator app that can generate a unique and frequently changing code. Biometric authentication—fingerprints, retinal scans, voice signatures—can increase security as part of MFA, but it’s not foolproof. A strong password will always be an important part of biometric authentication.
9 Reasons to Use an Enterprise Password Manager
Changing authentication secrets frequently is one of the best defenses against compromise. A reputable password manager like 1Password for Enterprise will generate unique credentials for each account and securely store them in a vault that can be accessed by individuals, employees, or teams with a Master Password. Here are nine reasons why a password manager makes good business sense.
- Simplify password overload: Cloud-based password managers offer the convenience of accessing the password from any device.
- No more weak passwords: Long, complicated passwords that would take hackers years to crack are easily generated by password managers.
- Monitor password changes: A password manager supports company security policies by monitoring how often passwords are changed and whether they comply with company policies.
- Harder to hack: Password managers make it harder for criminals to steal identities because automatically generated passwords are not tied to the user’s identity and contain no personal information.
- Improve operational efficiency: Your IT help desk spends hours resolving employee password reset requests, a waste of business resources. A password manager eliminates these problems and improves IT and end-user productivity.
- Protect yourself against phishing and identity theft: A password manager will not automatically fill out a phishing form if a user accidentally clicks on it. Not only does it detect the wrong domain name, but it could also alert the security team about the event.
- contain data breaches: By generating a unique password for each application, the password manager eliminates the domino effect of data breaches when a single account is compromised.
- Integrated two-factor authentication: Most business password managers enforce 2FA or MFA on users before they are allowed to access your company portal or applications.
- Better security than browser password managerNote: Users often allow passwords to be auto-filled in browser memory when they sign in. This is not safe for your company. If the device is compromised, passwords can be stolen. A password manager requires the user to have a master password to unlock the vault.
Protect your secrets from criminals
The need for shared secrets will never go away – and there is no such thing as 100% protection. bottom line? Despite the security challenges, passwords are here to stay. What matters is how user secrets are generated, managed, and protected.
Yes, progress is being made towards passwordless authentication. For example, Fast Identity Online 2 (FIDO2) promises to provide a smooth, secure online authentication mechanism. However, it will take some time to implement, and we probably won’t see 100 percent adoption. What can you do in the meantime?
The good news: There are steps companies can take to prevent and mitigate password breaches. Organizations that invest in frequent penetration testing can quickly uncover and strengthen weak passwords.
In hacker circles, where I’m better known by my online name, evil mog, I’m a member of Team Hashcat, the password cracking team with over a decade of winning password cracking competitions. I’m also the Chief Architect of X-Force Red, an elite IBM security team that can be hired to “break into” organizations and uncover risky vulnerabilities.
The truth is, people continue to forget their passwords, use insecure credentials, and repeat them across accounts. But you don’t have to let poor password hygiene increase your security risk.
A Zero Trust approach, backed by strong password policies, secure password management tools, employee best practice training, and regular penetration testing, can protect your corporate networks from cybercriminals stealing credentials.
learn more
Read the 2022 Cost of a Data Breach report.