The revelations following the LastPass ‘security incident’ may seem old news by now but will certainly not be quickly forgotten. In December last year, the freemium-subscription password manager claimed that hackers had stolen both encrypted and unencrypted customer data, including encrypted password vaults. While LastPass was adamant that the data was of little use to anybody without access to futuristic computing power and loads of time, the fiasco certainly provided us with plenty of food for thought. If bad actors were able to penetrate seemingly impenetrable LastPass with its military-grade encryption, two-factor authentication (2FA), mobile biometric login, and regular third-party audits, then what hope remains for secure password management? Are we destined to revert to Post-it notes stuck under our keyboards? Will we need to change the way we do passwords? Let’s find out…
TEST YOUR HACKABILITY
The media, especially the tabloids, love to frighten us with terrifying tales about what happens to people or companies that use weak or predictable passwords. Playful scare-tactics these stories may be but many a true word is said in jest. Verizon Data Breach Investigations reported that 81% of all data breaches are caused by the compromise of weak passwords. The situation is exacerbated when the same password is used across multiple sites or accounts. So how can we determine if a password is weak or strong? A simple solution is to use an online password strength checker like How Secure Is My Password. Imagine your password was mydog123. That would take a hacker one minute to crack. Adding a ‘4’ means that mydog1234 would take the average cybercrook 42 minutes. But you can make things much harder by using an uppercase letter and a special character. It would take a malicious actor five years to figure out Mydog1234! Have a go yourself and see how strong – or weak – your passwords are.
THIS IS WHAT HAPPENS
Google something like ‘hacking statistics’ or ‘risk of using weak passwords’ and you’ll get page after page listing unverified facts designed to give you nightmares. However, nobody will deny that weak and insecure passwords open the door to your computer. Hackers use brute force attacks that enlist software tools to guess your passwords. Once in, bad actors can easily access your bank and social media accounts, steal your identity and take your hard-earned money. For businesses, the situation is even worse. IT Governance confirms that stolen passwords are one of the simplest and most common causes of data breaches in the corporate world. Others include application vulnerabilities, malware, malicious insiders and employee error. According to IBM, these are just a few of the costs incurred if your network is breached due to weak passwords:
- the average cost of a data breach is $4.2 million
- lost opportunities average out at $1.6 million
- 39 % of costs are incurred more than a year after a data breach
- it takes about 280 days to identify a data breach
- containing a data breach takes about 80 days
If those numbers aren’t bad enough, your business will also suffer irreparable reputational damage, high employee turnover and increased cyber insurance premiums. And here’s some food for thought from cybersecurity expert Ted Schlein:
“There are only two different types of companies in the world: those that have been breached and know it and those that have been breached and don’t know it.”
THIS IS HOW TO DO IT
Passwords aren’t going to die anytime soon and we surely can’t backtrack to the days of Post-it notes. Replacing passwords with biometric data, such as fingerprints and face-scanning technology, is still a work in progress. In the meantime, we are stuck with the trusty and frustrating password. We’ve all heard supposed ‘good’ password policy advice ad nauseum. These words of wisdom include creating complex passwords with a minimum length of 8 to 12 characters long and that contain at least three different character sets. According to Derek A. Smith, the Founder of the National Cybersecurity Education Centre in the United States, this advice is outdated, incomplete and in some instances wrong. To get your password management up to scratch, Smith recommends:
- create long and strong passphrases of up to 64 characters
- apply non-reversible end-to-end encryption to passwords which will protect them in transit over a network
- test your password using online tools
- avoid dictionary words which can be hacked by dictionary attack software
- use different passwords for different accounts
- avoid changing your passwords every 90 days as you’ll probably end up using a similar password
- only change passwords in case of a perceived threat or an actual data breach
- change passwords when staff leave so that disgruntled employees can’t meddle in your business – or destroy it
- remove permissions of applications when you don’t need them anymore
- use up-to-date anti-malware and vulnerability management solutions
A PLACE FOR PASSWORD MANAGERS?
Funnily enough, Smith does not hold any grudges against LastPass. He still believes that password managers offer superlative security when it comes to protecting your logins. Password managers are convenient since you only need to remember your master password – they store the rest for you. They also generate and save strong, unique passwords when you sign up to new websites. Despite the LastPass debacle, Smith thinks that password managers are designed to provide you with access to all your passwords in an encrypted format that is not accessible to hackers or malicious software, thereby ensuring that your data is always private. And LastPass doesn’t have a monopoly on password management. You can also choose from RoboForm, NordPass, 1Password, Keeper, Passportal and many others.
UNDER LOCK AND KEY
Perfecting your password practice shouldn’t end with passphrases, end-to-end encryption and password managers. Multi-factor authentication (MFA) aka two-factor authentication provides an additional layer of security so that cracking a password is simply not enough for a hacker to gain access to an account or network. Mary E. Shacklett, a respected cybersecurity commentator, says MFA technology
“…requires multiple methods of authentication from independent categories of credentials to verify a user’s identity for a login or other transaction.”
In addition to traditional credentials, such as your username and password, MFA mandates users to confirm their identity with a one-time password (OTP) or code sent to a mobile device or using a personalized security token like a USB or a smart card. You can even take MFA one step further by adding advanced authentication methods and leverage biometric verifications. For example, Windows Hello on Windows 11 means that employees can be identified by recognizing their faces, fingerprints, voices, irises, or even heartbeats.
YOUR PASSWORDS PERFECTED
The secret to perfect password management, securing your data and keeping it out of harm’s way is to be well-informed, up-to-date and vigilant. And this is where I can help you. I have over 20 years of experience in professional business IT support, specializing in cybersecurity and risk mitigation. I know the pain that people feel when their passwords have been compromised and their systems breached. I don’t want that to happen to you. Let’s get together and chat about how you can get your password practices from the place they’re at to where they should be.