Everyone hates passwords.
Users hate changing and remembering them. Administrators hate hounding people to update their passwords to something secure. Nobody likes getting locked out of their account, and no one enjoys going through the “forgot my password” process. Even though they can feel like a general hassle, passwords are extremely important and aren’t going anywhere anytime soon.
Every organization relies on passwords to keep their data secure. In some instances, the entire business’s survival may hang in the balance of a single user’s password. Last year, SolarWinds, a large network monitoring software developer serving America’s fortune 500 companies, was compromised by a single weak Office 365 password.
The attacker gained access to an Office 365 account and used it to leapfrog into other accounts until enough information was gathered to access SolarWinds internal systems. Over time, the attacker injected software into their products to create what’s called a “supply chain” attack focused at SolarWinds customers. Over 18,000 businesses and institutions installed the compromised SolarWinds software, including the Pentagon, Department of Homeland Security, Microsoft, Intel, hospitals, universities, and private businesses. Tech companies all over the world scrambled to scrub the infected software from their networks and contain the breach. An untold amount of damage was done and the ramifications of data loss are still unknown.
Information is still being released, but the imagery is powerful. A single weak password caused the infiltration of tens of thousands of networks. Passwords and password management is incredibly important and will only continue to become more crucial over time.
Now consider this:
- In a 2020 survey, 86% of people are using passwords that have already been leaked in previous data breaches
- Only 20% of people use a different password for every online account
- 45% of people use the same password for some accounts
- 47% of people use passwords that are over 5 years old
Those are scary metrics. Now take a look at 2020’s most commonly used passwords:
Would you want your employees securing your company’s data with any of these passwords? It’s doubtful, and we have skin in the game too, so we don’t want that either.
So what can we do about it?
Simple. Use a password manager.
While it’s not a silver bullet – nothing about information security is or ever will be – but it’s a simple, easy, cheap, and impactful way to improve your overall security posture.
Here at Hermetic we love applications like 1Password. We encourage all our clients to employ a solution that meets their business needs, and we provide licensing in all of our offerings. There are tons of options on the market that can help manage your passwords and keep you safe. A good solutions will provide a large set of features, like:
- Having all the organization’s passwords in one place and only one password to remember
- Generating strong, random passwords with customizable settings for complexity
- Identifying when passwords are part of a breach
- Alerts when passwords are used more than once
- Two-factor authentication, including FaceID and fingerprints
- Autofill for popular sites and copy\paste for others
- Updating passwords quick, easy, and painless
- Securing password sharing with teams
- Accessible across multiple devices
- Integration with Azure AD for mass adoption
- Includes personal vaults for all users separate from corporate vaults
- Very inexpensive
- No more unsecure “Passwords.xls” files on your computer or network shares
What Exactly is a Password Manager
A password manager is an application that stores your passwords in an encrypted database that only you, or your authorized team members, can decrypt and access. Basically, it acts as a digital safe for all your logins, passwords, notes, keys, or any other important bits of data. It helps create randomly generated and complex passwords so you can be sure they are strong and secure without having to worry about remembering them or writing them down. It allows you to auto-fill passwords into websites you commonly visit, or copy and paste directly into applications.
On the network administration side, there are a number of considerations we take into account as well. When discussing business security, it’s important to keep in mind the access controls of the organization, ease of deployment across different types of users, total cost of ownership and maintaining a centralized experience. We also consider how well the solution plays with custom line of business applications or single sign-on solutions already implemented.
When we get started setting our clients up with a password management solution, we follow a clear process:
- Set clear implementation objectives to understand where this solution fits in the larger security strategy.
- Deploy and turn on policies and security controls that match the objectives.
- Help users get acquainted with the new solutions and provide training for anyone who is unclear.
If your business has a “Passwords.xls” file, anywhere on the network (even in that super secure network share named “Secure”), or is struggling to keep password management under control, give us a call to set up a free consultation.