Today, May 5, is World Password Day. It has been almost 20 years since Intel first launched the initiative in 2013, yet still, most people are using and reusing easy to crack passwords, not protecting them and even sharing. In addition, most of us don’t even realize how many passwords we have.
Teaching password security in the early 2000s would usually start with a question to the audience: how many of you have up to 10 passwords to remember? How about 25? Anyone with more than 50? Today I usually start with, “how many credentials do you believe to have still active? Less than a hundred?"
It’s interesting how it builds up. Many people will not know how many credentials they decided to store in their browser. It could be a credential used many times a month, or maybe that one you had to create in that online store you bought from only once but needed to track your order. The fact is that it is almost impossible to know. If you usually save your credentials within the browser, you might learn about it when you are infected by malware that steals your browser credentials, like the recent BlackGuard. Or when someone gets access to your e-mail – the most used method to reset passwords. At this point, your digital life is done!
Yet, it doesn’t have to be this way. Password managers can help you better control your credentials, especially if you think in terms of corporate use. Let’s look at some areas where it can help mitigate password related issues:
- Password sharing: You may easily share over the phone a password such as “football123.” Now try to share “tNNi^M$E*@Ep7LD&." Not that easy. This could help prevent intentional sharing or through social engineering.
- Reusing corporate passwords for personal applications: The company made me create a new password with caps, letters, numbers and special characters. I use my creativity and use “Football@123.” Yet, since I have this nice, secure password, why not use it in other places? Maybe my TV streaming service, which I share with my daughter, who shares with her boyfriend. Remember, you don’t have control over passwords outside the company. In this example, your daughter’s boyfriend has your company credentials. A complex password is nice, but try entering “tNNi^M$E*@Ep7LD&” in your smart TV.
- Same password for everything: Users can memorize a few passwords, maybe three or four. The rest are just variations. Users will try to use the same password everywhere, maybe with some slight variations. A corporate password might be floating in dozens of uncontrolled accounts. Password managers will train the user to create a different password everywhere. After all, it will create it for you and fill it out during the authentication.
- Credential leak in the dark web: I’ve been a LinkedIn user for quite a long time, and they had leaks at least a couple of times, so my credentials ended up on the dark web. There is nothing you can do about it except reset your password. The problem is that it can take time for you to realize it has happened. It’s not your fault, but the company you have an account in was unfortunately attacked, and your password – which you probably use for dozens of other accounts – is now exposed. Yet, most websites will not store your password completely open; they will use a hash of your password. So, attackers still need to crack the passwords. If you have an easy one, even a combination of words, there is a high chance it will be cracked. A long and complex password cannot be hacked with the current computer power. So even if a leak happens, a password generated by a password manager will most likely be protected.
- Easy to crack passwords: There are attacks such as password spraying that will use simple passwords. Other attacks, using dictionaries for longer passwords, can be quite effective in cracking easy passwords. Passwords hashed, including salt – an additional variable – can be cracked with multiple letters/numbers of combinations up to 8 characters only. Passwords with up to 12 characters and regular hash can usually be cracked with no problems. Passwords with 16 characters, like the ones generated by the password manager, can’t be cracked with multiple combinations.
- Shared admin passwords: Companies sometimes have shared credentials and an administrator password that is shared between all the IT admin staff. Even when complex passwords are used, how do you ensure they are not exposed? In a recent attack, hackers found a spreadsheet containing multiple admin credentials in a company. Jackpot! Corporate password managers will most likely secure share passwords between individuals, where they are always stored in a vault.
- Password exposure for MSP managed accounts: MSPs will always have admin credentials used to access their managed accounts, one or more per account, shared between groups of MSP technicians. The leak of those credentials could be a disaster for an MSP, exposing their managed accounts to the risk of remote connections and spreading ransomware. Password vaults can be very effective in those situations.
- Corporate applications with no MFA support: Most serious business applications will support multi-factor authentication (MFA), usually through the SAML protocol, which creates a trust relationship with an identity provider. Some might have their own MFA solution. However, there are still many applications that don’t understand much about the need for MFA. Companies like Salesforce not only support but have been enforcing them since February 2022. Yet, for applications not supporting MFA, the least you need to do is make sure the credentials are unique and not reused. Password managers won’t help in every situation, such as phishing websites. Nevertheless, it can drastically reduce exposure.
- Password carelessness by users: User training is always important to protect against phishing attacks, or even speaking a password over the phone, because the person on the other side of the line said they are from your bank and need to unlock your credit card. Password managers can be effective in helping train the users, making them understand the importance of keeping a password safe and reducing the chance of using it in dangerous situations.
You might ask, what about passwordless authentication? This is a growing trend, but there are just a very few situations where you can use it. Logging into your computer with your face most likely won’t help you log into other websites. Changing your mobile phone app login to your fingerprint creates a great user experience but can’t be used if you need to log in through your computer.
The fact is, passwords are not going away, and until there is a solution that covers all the cases in the company, password managers can be effective in mitigating those risks. Think seriously about this use.