We all have the same problem and that is passwords and their security.Â We have to remember so many passwords for so many applications that
it becomes impossible to keep track and remember them without using ones that are easy to remember or one’s that we use elsewhere.Â We’ve
all used our pet’s name, our partner’s name, with a number and when we need to change it, we increase the number by one.
The obvious risk around that is if some-one harvests your password or if your password is easy to guess then hackers have access to your
applications including business applications and that will lead to whole load of trouble.
Credential harvesting is top of the list when it comes to recent scams and can lead to businesses losing tens of thousands of dollars,
particularly through fake invoices.Â We’ve seen very public instances where hackers have gained malicious access to email and have been
able to create false invoices, resulting in businesses paying the invoices because they thought it was legitimate. (reference – https://www.smartcompany.com.au/technology/brisbane-retailers-warns-businesses-vigilant-cyber-crime/)
We can try making the passwords more complex, forcing people to include #@$%&* with at least 8 characters and making them change the
passwords every 30 days as well as not allowing them to use the last 24 passwords they’ve used etc.
What this sometimes does though is get people to set all of their passwords to the same password or them ending up writing it down and
sticking it to their monitor with the infamous yellow sticky note!Â Defeating the intended security policy.
So, what can be done?Â Well, there are some solutions, which can help â€“
1. Password Managers
This solution allows you to save your web/cloud-based credentials inside the password manager and allow the password manager to set a
complex password for the application.Â The password manager is accessed by a ‘master’ password.Â Examples are Dashlane and Lastpass. Some
pros and cons include –
|Can be used personally or in business (personal is usually free)||If you forget the master password, then you’ll lose access to your other passwords|
|Easy to set up complex passwords||Controls are limited|
|Accessible on multiple devices||If some-one obtains your master password, then they have access to all of your accounts|
|They can protect more than passwords|
2. Single Sign-on (SSO)
More of a corporate solution that allows the set-up of applications inside the SSO and are accessed by a single password.Â Policies can be
set up centrally by an administrator to control what applications users can access and how passwords are configured.Â Examples are OneLogin
In our personal life, we’re using SSO, for example Log-in with Facebook credentials. Some pros and cons include –
|Centralised control||If the SSO solution goes down, users would lose access to all sites|
|Easy access to applications||May not cover all systems in use|
|Easy to control||If some-one obtains your SSO password, then they have access to all of your accounts|
3. Multi-factor Authentication (MFA)
This provides a secondary layer of credentials that need to be provided in order to access the application. We’ve probably all been
using MFA without realising it when we make bank payments and need to input the SMS code we’ve received.
There are various methods of MFA.Â The most common ones are –
Possession factors: If a person has a specific device on their person, like a key card or a smartphone, they have access
to several forms of multi-factor authentication procedures.Â Common smartphone MFA methods are SMS, Google Authenticator and Microsoft
Biometric scanning: facial-recognition software, finger or thumb prints, voice recognition software, hand shape, and other
Location factors: GPS tracking, used in many smartphones, can be used to ensure that logins are from legitimate devices
rather than from malicious devices.
Some pros and cons include –
|Much more secure than having a single password as protection||Device based MFA â€“ if your device runs out of battery you won’t be able to log in.|
|SMS messages are extremely convenient||Some more disreputable services may use your number for advertising|
|Biometrics are extremely difficult to hack||A compromised biometric is compromised for life.|
Most cloud-based/web-based applications now come with the ability of using multi-factor authentication for free.Â These include Office 365,
Xero, Zoho, GSuite, Salesforce and a host of others.
I use a combination of password managers, single sign-on and multi-factor authentication in my business and personal life.
If you haven’t started looking at any, you should be looking at least at MFA to improve your application security quickly and easily and
then putting a strategy in place to deal with replacing or strengthening your password security.