At Ascend, our security engineers have truly seen the good, the bad, and the ugly of cybersecurity. From investigating breaches to setting up first-time security solutions for small businesses, they’ve found that a common vulnerability is something that not many people would suspect… and something for which there is no “silver bullet,” all-in-one solution to solve it. The reason is that it relies heavily on users and their commitment to best practices—and users are always the weakest link in security.
What is this elusive security vulnerability?
Passwords may be a key element of security, but that doesn’t mean they’re secure.
It’s easy to associate the concept of passwords with being secure. However, the existence of a password does not automatically guarantee security. The relationship between passwords and cybersecurity is multi-faceted and relies on these key elements:
- Password Strength
- Password Handling & Storage
- Methods of Authentication
- Controlled Access
Any of these elements without the others cannot reach maximum security potential—together, they create layers of protection against unauthorized access.
Password Strength (and the science behind it)
You hear about “strong passwords” all the time, but what does that really mean?
On a basic level, it’s about password length and complexity. You’ve seen requirements when setting up new online accounts, usually along the lines of “Must be at least 8 characters in length and include an uppercase letter, lowercase letter, number, and symbol.”
On one hand, these requirements make it very hard for any “Average Joe” to come along and guess your password based on context clues or personal information they may know about you. On the other hand, password complexity also makes it harder for cyber criminals to crack your password as well. The bad guys can get access to special hardware (or use botnet computer power) to run brute force attacks to crack passwords—essentially running every possible combination of characters until the password is cracked.
In a mathematical sense, we’re talking about exponential growth and permutations in password combinations. If a password can only be made up of numbers and is 5 characters in length, that’s 10 possibilities for each of the five characters. Notated mathematically as 105. This means that there are already 100,000 permutations of your short, numbers-only password. And we’re just getting started—passwords include more than just numbers in most cases and (should be) longer than 5 characters. If you have 95 possible characters to choose from (lower case, upper case, numbers, and special characters) you’re looking at a much larger scale:
- 2 characters: 9,025 possibilities
- 4 characters: 81,450,625 possibilities
- 16 characters: 44,012,666,865,176,569,775,543,212,890,625 possibilities
While password complexity won’t stop an advanced attack or a determined attacker, it will slow them down. Plus, strong passwords will generally deter low-skill hacks or low-stakes attempted break-ins.
Are you storing your passwords in plain text? You shouldn’t be.
This one is a security engineer pet-peeve, and it’s all too common.
Often, small businesses (and the IT service providers who support them) find themselves using password storage techniques that seem like the easiest, most effective ways to manage credentials… but are these methods secure?
The short answer is no. More often than not, the password storage techniques used by organizations are not secure. We’ve seen it all: passwords in word documents, passwords in spreadsheets, passwords in business management platforms, and the dreaded passwords stored in browsers. Keeping credentials in these locations can essentially defeat the purpose of having passwords on your accounts, if you’re using passwords alone. It only takes one stolen password or one wrong click for a “bad guy” to find the keys to the kingdom—and then they can steal anything, because there’s nothing standing in their way.
The solution? A secure password manager.
Password managers are available at both the consumer level and in professional formats, but there are many free and low-cost options that may be a fit for your organization. A password manager is a piece of secure software that can keep your password “lists” locked in a vault behind a master password or other form of authentication. The user must have valid credentials (and/or access to a secure file location) to be able to view the credential database and retrieve a password from it.
There are many options for password management, so it’s helpful to determine what features are important to your organization when weighing your options. A few key security-related questions to consider are:
- Where is the databased stored? (i.e. in the cloud, locally on the user’s device, or another location)
- How are passwords unlocked / accessed?
- How is the database protected? (i.e. is it encrypted? How is access authenticated?)
A few of the top password managers* on the market today include:
This password manager encrypts password databases with AES-256 bit encryption and also offers multi-factor authentication (MFA) as a login option to access the database. LastPass offers a mobile app in addition to the desktop password manager, so passwords can be accessed on the go.
This is a non-commercial password manager that offers robust security, multiple user support, and secure password generation for users free of cost. While it doesn’t offer native device syncing as a feature, it’s possible to store the database file in a shared location or on a removable storage device for access across multiple devices.
This is a modern password manager that offers syncing between devices, autofill passwords, and even customized data breach alerts. The password database is stored in Dashlane’s cloud storage. Basic password management is free for single users, but the premium subscription runs a few dollars per month.
*This list is intended to provide examples of top 2020 password management solutions and is not a direct recommendation or endorsement. Please research your options to determine the best solution for your organization, or work with your MSP or MSSP to discuss your security options.
You should not only be using a password manager at home for your personal accounts, but every employee in your organization needs to be using an organization-approved password management solution to store their business credentials. Plain text credential storage solutions are NOT beneficial to your security.
What happens if someone figures out your password?
Well, in a case where you have multi-factor authentication (MFA) enabled, it’s not quite game over yet.
MFA, sometimes referred to as two-factor authentication or 2FA, is an option that requires you to present two pieces of evidence – or credentials – when logging in to an account to prove that you are the account owner. Many websites now offer this option in the format of a 4 or 6-digit code sent to the account owner’s email or mobile number. There are also authenticator apps like Google Authenticator that allow you to scan a QR code when setting up MFA and no longer have to wait to receive a text—the 6-digit codes are all stored in the authenticator app and refresh every minute.
MFA is a great option for added security because it means that if someone knows your password, they still can’t get into the account (as long as they don’t also have access to your phone or your email).
While MFA can sometimes seem like a tedious extra step, you should consider enabling it on all business accounts that you can. Remember, what’s easier for you is also easier for the bad guys.
Controlling Access: Principle of Least Privilege
The principle of least privilege is a security concept based on the idea that access rights for users should be limited to the bare minimum permissions they need to perform their work.
While more restriction never sounds like fun, it’s the right thing to do when securing your data and protecting your organization. Tiers of access must be established—every user should not be an admin on their own device or even in your network.
The reason for this is simple:
In a cyberattack, the “bad guy” is trying to compromise user accounts and gain access to sensitive data. In a highly-secured network environment, that means having to move laterally, compromising multiple tiers of accounts until they are finally able to access administrative-level privileges. If too many users in your organization have full access and admin privileges, you’ve eliminated multiple steps in the attack process where the adversary could be caught and removed, and instead given them direct access to their end goal.
Don’t “pwn” yourself—use account privileges wisely.
Logging in from Home: Why Credential Security Matters
With the recent influx of remote workers, organizations’ security statuses are being exposed—in many cases for the worse. Whether it’s a lack of resources that lead to employees working from their personal devices, or insufficient security training and protocols that lead to remote employees ignoring security best practices, the outcome is that our current digital landscape is a hacker’s heyday.
No matter how your organization is having to cope, ensuring credential security best practices are followed is an easy way to improve your security without needing to purchase new technology or deploy complicated hardware. To make your efforts count, be sure that:
- Passwords are enabled on all accounts possible for all employees
- Multi-factor authentication is enabled on all accounts possible
- Employees are encouraged to create strong passwords and not reuse “easy” passwords across multiple accounts
- Employees understand the danger of storing passwords in plain text & have an organization-approved alternative for password storage, like a business password manager
- Access to admin-level privileges and/or important data is controlled, reserved only for those who need it
In the end, none of these tips or solutions are 100% hack-proof on their own—that’s why it’s important to utilize them together for layers of security and maximum protection. Don’t let a single password be a one-way ticket to getting hacked.