October is National Cybersecurity Awareness Month and, over the past few weeks, we’ve written blogs highlighting this year’s themes: Own it. Secure it. Protect it. We wrote about the opportunity and risk of emerging technologies like 5G and IoT and the rise of biometrics as a way to increase account security.
For Protect It we’re diving into the world of password management. Whether it’s for work or personal use, chances are you have a ton of different passwords – and some that may even give you access to sensitive accounts and critical systems.
There’s an even bigger chance that those passwords are relatively simple and easily guessed by attacker. And you might be using the same password over and over. In that case, if an attacker cracks your password for one system, they can compromise every other system where you use that password.
Or maybe you use multiple, hard to guess passwords – but to save time and brainpower you save the credentials in your browser’s built-in password manager. Most popular browsers like Chrome, Safari, Firefox, Internet Explorer and Opera offer built-in password managers that store and auto-fill website passwords when you need them. The simplicity makes this a compelling option. But, is it the best way protect the data you care about most?
Despite the convenience, there is a major downside to saving credentials in a browser. Because so many people use integrated password managers, they are a natural target for credential theft attacks. Cyber attackers count on us choosing convenience over security and credentials saved in a browser are a super easy target. Credential theft attacks can be fully executed from a single user’s workstation by leveraging passwords for social media accounts and other credentials stored on the device.
So, what should you be using to better protect your online passwords and secure your digital life?
Dedicated Password Managers: The Good and the Bad
Dedicated password managers allow you to save, generate and update all of your passwords in one encrypted location protected by a single, strong password or passphrase. These tools are increasingly popular among consumers and enterprises alike, but as with most tools and technologies, they don’t completely eliminate security risks. Here are a few best practices to help you safeguard your dedicated password manager:
- Be on the lookout for phishing attempts.According to the Verizon DBIR 2019, phishing was involved in 32 percent of confirmed breaches as well as 78 percent of cyber-espionage incidents. It’s important to stay vigilant and never click on links or open attachments from people you do not know or ones that seem out of character.
- Always use multi-factor authentication (MFA).Ensure that multiple types of authentication methods – not just a password – are required to unlock the account. This is important not only for your dedicated password manager, but for other online services like your bank account, email and social media accounts.
- Choose a strong master password.Your master password is the key to unlocking every single online password stored in the repository. The US National Institute of Standards and Technology (NIST) recently updated recommended standards on password security – hopefully removing some of headaches for users while working to improve security. Noteworthy elements of the guidelines include recommendations for users to select longer, memorable passphrases without complex construction rules. NIST now only recommends password resets in cases where there is a suspected threat versus, rather than having scheduled resets.
- Use different passwords for every online account.Don’t reuse passwords on multiple sites or accounts – even if it’s a strong password. If you do, and one account is hacked, the others can easily be compromised as well. Every time you create a new password for an online service, be sure to make it unique. Password managers can also act as password generators and create a unique password for you.
Dedicated password managers are a viable option for individual users and can help strengthen the security of their machines and digital information. But, when it comes to securing a business – it’s best to look for solutions purpose-built for enterprise requirements.
Password manager only manage the passwords of a single person – which is great when the only one you’re securing is you. But, businesses are comprised of many people and, often, those people have different needs when it comes to system access. A password manager can’t manage who gets access to what.
However, an enterprise-level solution can ensure that no person has access to more than they need – preventing cyber attackers from using a compromised account to go straight for the most vital information. The extra ingredient that this type of enterprise-level solution provides is privilege access management (PAM) – a cybersecurity strategy for controlling, monitoring, securing and auditing everyone and everything in an IT environment.
Password managers are a big step up from trying to memorize all of your passwords yourself – or letting your browser (or a post-it note) remember them for you. They can save you time, increase your security and free up a lot of mental clutter. But, if you’re trying to handle access on the scale of a business, you need privileged access management.