How many times do we use passwords every day? A great deal, if you count logins for laptops, applications, bank accounts, utility bills, and so on. Worryingly, many individuals continue to use the same password for multiple accounts. When the user ID is an email address, it is all too easy for attackers to buy an email address and password on the dark web and use these to gain access to all accounts using the same email address and password. There are cheap tools available on the dark web to perform an automated search with preset email addresses and passwords, meaning that if an individual has used the same login credentials over and over again, they could be compromised multiple times.
Organizations seek to address this by forcing password changes after a certain time period. But what often happens is that the individual simply updates the number or month in their password (anyone using "June2019" or "myusualpassword99" right now?) Again, these tools on the dark web are wise to such password patterns and will adjust compromise attempts accordingly.
To be useful and secure, a good password needs to be a secret that only the user knows. It needs to be hard to guess (i.e., long and complex) but easy to remember. It should also not be written down anywhere or stored electronically in unencrypted form. And to be doubly secure, it should be paired with a second authentication factor, such as a unique physical object or a physical characteristic that only the user has.
Regaining control of user passwords is the first step toward becoming a password-less enterprise. Cybersecurity training and awareness programs are useful, but to keep the organization safe and secure, employees at all levels require tools and applications to help alleviate the burden and risks associated with workplace passwords, credentials, logins, and access codes.
Password management tools have entered the mainstream, with a good selection of products targeting teams, businesses, and enterprises. These tools offer a more secure and convenient way of coping with password overload and the risks associated with weak, stolen, or shared credentials. Using any trusted password manager is almost always better than not using one at all, but costs need to balance risks.
Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.