Teaching about password security in the early 2000s would generally start with a question to the audience how many of you have up to 10 passwords to remember? How about 25? Anyone with further than 50? The moment I generally start with “ how many credentials do you believe to have still active? Lower than a hundred?”
It’s interesting how it builds up. Many people wo n’t even realize how many credentials they decided to store in their browser, when asked for. Could be a credential used many times a month, or maybe that one you had to create in a store you bought in only once but needed to track your order. The fact is that it’s almost impossible toknow. However, you might learn about it, If you generally save your credentials within the browser. And if you’re infected by a malware that could steal your browser credentials, like the recent BlackGuard malware, or someone gets access to your email – the most- used system to reset passwords-your digital life is done!
Password managers can help you better control your credentials, especially if you suppose in terms of commercial use. Not sure about it? Let’s look at some areas where it can help password-related issues
- Password sharing: You may fluently share over the phone a password similar as ” football123″. Now try to share “tNNiM$E*@Ep7LD&”. Not that easy, right? This could help with intentional sharing or through social engineering.
- Reuse of commercial password for personal applications: The company made me produce a new password, with caps, letters, numbers, and special chars. I use my creativity and use “Football@123”. But since I’ve this nice, secure password, why not use it in other places? Perhaps my Television streaming service, which I share with my son, who shares with her boyfriend … Remember, you don’t have control over passwords outside the company. In this sample, your son’s boyfriend has your company credentials. A complex password is nice but try entering “tNNiM$E*@Ep7LD&” in your smart Television.
- Same password for everything: Users can memorize many passwords, perhaps 3 or 4. The rest are just variations. I’m not different. Users will try to use the same password everywhere, maybe with some small variations. A corporate password might be floating in dozens of uncontrolled accounts. Password managers will train the user to create a different password everywhere. After all, it’ll create it for you and fill it out during the authentication.
- Credential leak in the dark web: I’ve been a LinkedIn user for quite a long time, and they had leaks at least a couple of times, so my credentials ended up in the dark web. However, there’s nothing you can do about it except reset your password If this happens to you. The problem is that it can take time for you to realize it happened. It’s not your fault, the company you have an account with was unfortunately attacked. Your password – which you probably use for dozens of other accounts – is now exposed. But stay, most websites won’t store your password completely open, they will use a hash of your password. So attackers still need to crack the passwords. However, even a combination of words, there’s a high chance it’ll be cracked If you have an easy one. A long and complex password can not be hacked with the current computer power. So even if a leak happens, a word generated by a password manager will most likely be protected.
- Easy-to-crack passwords: There are attacks similar as password spraying that will use simple passwords. Other attacks, using dictionaries for longer passwords, can be relatively effective to crack easy passwords. Passwords hashed including salt – an additional variable – can be cracked with multiple letter/ number combinations up to 8 characters only. Passwords with up to 12 characters and regular hash can be usually cracked with no problems. Passwords with 16 characters, like the ones generated by the password manager, can’t be cracked with multiple combinations.
- Shared admin passwords: Companies have sometimes shared credentials, like an administrator password that’s shared among all the IT admin staff. Even when complex passwords are used, how do you make sure they aren’t exposed? In a recent attack, hackers found a company spreadsheet containing multiple admin credentials. Jackpot! Corporate password managers will most likely have the ability to securely share passwords between individuals, and always store them in a vault.
- Password exposure for MSPs managed accounts: MSPs will always have admin credentials used to access their managed accounts, one or more per account, shared between groups of MSP technicians. The leak of those credentials could be a disaster for an MSP, exposing their managed accounts to the risk of remote connections and spreading ransomware. Password vaults can be very effective in those situations.
- Corporate applications with no MFA support: Most serious business applications will support MFA, usually through SAML protocol, which creates a trust relationship with an identity provider. Some might have their own MFA result. But there are still a huge number of applications that don’t understand much about the need for MFA. Companies like Salesforce not only support but are enforcing them since February 2022. But for applications not supporting it, the least you need to do is make sure the credentials are unique and not reused. Password directors won’t help in every situation, similar as a phishing website. But they can drastically reduce the exposure.
- Password carelessness by users: User training is always important, to secure against phishing attacks or even speaking a password over the phone because the person on the other side of the line said they’re from your bank and need to unleash your credit card. Password managers can be really effective in helping train the users, making them understand the importance of keeping a password safe, and reducing the chance of using it in dangerous situations.
You might ask now what about passwordless authentication? This is a growing trend, but there are just very many situations where you can use it. Logging in to your computer with your face most likely won’t help you log in to other websites. Changing your mobile phone app login to your fingerprint creates a great user experience but can’t be used if you need to log in through your computer.
The fact is, passwords aren’t going down, and until there’s a solution that covers all the cases in the company, password managers can be effective in mitigating those risks. Think seriously about this use. We’re thinking, and we will have some news soon in this matter to announce!