Passwords are broken but we’re stuck with them for now. We’ve too many, every password seems to have a different set of random requirements, we’re supposed to change them all the time and no one can possibly remember them all.
But don’t worry. There are growing alternatives such as biometrics (finger prints, iris recognition), certificates and one-time passwords. On top of this, there is also two factor authentication using physical fobs/smart cards, text messages to your phone, pins or apps such as Authy or Google Authenticator as an addition to a single password.
A report by Thycotic and Cyber Security Ventures in 2017 suggested that by 2020 there will be 300 billion passwords being used and every employee in a Fortune 500 company will have an average of 90 personal and business passwords to deal with. I wish I only had 90. Currently in my password manager I have 252 passwords, of which 51 are personal.
So here are the issues I see
We are not going to carry 90 smart cards or fobs
We are not going to remember 90 complex, unique passwords
Not all our devices will support biometrics. Phones yes, but laptops, PC, tablets do not always support this
Not all our services will support 2FA (2 factor authentication)
So how do we deal with all these passwords in a simple secure fashion? Is it even possible?
I know this goes over old ground again, but it doesn’t mean it’s not valid. I regularly see poor, insecure password behaviour and this leads to businesses being compromised.
Here’s 9 steps which can help you be more secure.
1. Use a password manager
There are many password managers available. Make sure you know where your data is stored. Some are cloud based some are not.
2. Don’t come up with your own passwords.
Get complex, unique passwords generated for you by the password manager. If you can think of a password based on family, pets, addresses, children, DoB - so can the bad guys.
3. Never ever use the same password for two different services.
If one service has a data leak, all your other services will be compromised.
4. Never ever think of a ‘password format’ and use across different services
C0mplexP4ssWeb, C0mplexP4ssLaptop, C0mplexP4ssEmail. If one gets hacked, all services are vulnerable.
5. Don’t replace numbers for letters in words.
If you think a 4 can replace an A, or a 0 can replace a O, the bad guys can think of this too.
6. Where 2FA authentication is possible, use it, always.
Extra security means you are less likely to be hacked.
7. Change passwords reasonably frequently
Complex, unique passwords are difficult to hack (but not impossible), but they can be stolen and used as easily as a simple password. Good password managers can highlight the age of passwords and prompt you to change them.
8. Make sure you take frequent backups of your password manager database.
Keep these backups somewhere secure.
9. If you work in a team and share passwords, use a password manager that allows groups to share securely
A single password source of truth for the service and devices your teams access.
Credential thefts are never far from the news these days. Don't let a 3rd party’s data breach be used to attack your organisation due to your staffs poor password security.
If you follow these 9 suggestions, you will be much more secure and much less vulnerable.
Exmos have a solution for businesses that include all the above features and that work directly from your mobile phone.
Simple, cost-effective and secure.
If you are interested in learning more about how Exmos can help you manage your passwords, please get in contact and we would love to discuss in more detail how important password management is in 2019.