We all have the same challenge when it comes to password security. We have to remember so many passwords for so many applications that it becomes impossible to keep track and remember them without using ones that are easy to remember or one’s that we use elsewhere. We’ve all used our pet’s name, our partner’s name, with a number added, and when we need to change it, we increase the number by one.
The obvious risk around that is if someone harvests your password, or if your password is easy to guess, then hackers have access to your applications – including business applications – and that will lead to whole load of trouble.
Credential harvesting is top of the list when it comes to recent scams and can lead to businesses losing tens of thousands of dollars, particularly through fake invoices. We’ve seen very public instances where hackers have gained malicious access to email and have been able to create false invoices, resulting in businesses paying the invoices because they thought it was legitimate.
We can try making the passwords more complex, forcing people to include #@$%&* with at least 8 characters and making them change the passwords every 30 days, as well as not allowing them to use the last 24 passwords they’ve used, etc.
However, this can result in people using the same password for multiple accounts, or recording it on paper and sticking it to their monitor with the infamous yellow sticky note! Defeating the intended security policy.
So, what can be done? Well, there are some solutions:
1. Password Managers
This solution allows you to save your web/cloud-based credentials inside the password manager and allow the password manager to set a complex password for the application. Password managers such as Dashlane and LastPass are accessed by a ‘master’ password. The pros and cons include:
|Can be used personally or in business (personal is usually free)||If you forget the master password, then you’ll lose access to your other passwords|
|Easy to set up complex passwords||Controls are limited|
|Accessible on multiple devices||If someone obtains your master password, then they have access to all of your accounts|
|They can protect more than passwords|
2. Single Sign-on (SSO)
Commonly, SSO is a corporate solution that allows the set-up of applications inside the SSO and are accessed by a single password. Policies can be set up centrally by an administrator to control which applications users can access and how passwords are configured. Examples are OneLogin and Okta.
In our personal life, SSO we commonly use is our Facebook credentials to log into other apps. Some pros and cons include –
|Centralised control||If the SSO solution goes down, users would lose access to all sites|
|Easy access to applications||May not cover all systems in use|
|Easy to control||If someone obtains your SSO password, then they have access to all of your accounts|
3. Multi-factor Authentication (MFA)
MFA provides a secondary layer of credentials that need to be provided in order to access the application. We’ve probably all been using MFA without realising it when we make bank payments and need to input the SMS code we’ve received.
There are various methods of MFA. The most common ones are:
Possession factors: If a person has a specific device on their person, like a key card or a smartphone, they have access to several forms of multi-factor authentication procedures. Common smartphone MFA methods are SMS, Google and Microsoft Authenticator.
Biometric scanning: facial-recognition software, finger or thumb prints, voice recognition software, hand shape, and other physical variables.
Location factors: GPS tracking, used in many smartphones, can be used to ensure that logins are from legitimate devices rather than from malicious devices.
Pros and cons include:
|Much more secure than having a single password as protection||Device based MFA – if your device runs out of battery you won’t be able to log in.|
|SMS messages are extremely convenient||Some more disreputable services may use your number for advertising|
|Biometrics are extremely difficult to hack||A compromised biometric is compromised for life.|
Most cloud-based/web-based applications now come with the ability of using multi-factor authentication for free. These include Office 365, Xero, Zoho, GSuite, Salesforce and a host of others.
I use a combination of password managers, single sign-on and multi-factor authentication in my business and personal life.
If you haven’t started looking at any, you should be looking at least at MFA to improve your application security quickly and easily and then putting a strategy in place to deal with replacing or strengthening your password security.
If you’d like to chat further about how Surety IT can assist with your password challenges please call us on 1300 478 738 or Email Us.