Article
Your Password Security May Not be as Strong as you Think – Here’s How to Improve it
Weak credentials can provide an easy way in for attackers.
Identifying and securing password vulnerabilities to ensure credential security1 is a significant challenge faced by At-Bay policyholders.
This is part of a larger industry trend: Verizon’s 2022 Data Breach Investigations Report — a key source of threat data for security practitioners — estimates that stolen credentials play a role in 50% of security incidents. This isn’t surprising as organizations and individuals continue to struggle with securely managing an ever-expanding list of credentials, for multiple websites and tools, in an increasingly digital world.
Helping your employees secure their passwords is a crucial part of maintaining a strong security posture and preventing a breach. Here’s what you need to know:
More Online Services Means More Passwords — and More Risk
In recent years, cloud-based online services have become integral to the function of modern businesses, across pretty much every department. However, the increasing use of online services by businesses is exacerbating the issue of credential security.
Because users are required to create a new account and password for every online service that they use, they have to remember (and secure) an ever-increasing volume of credentials. If stolen, these credentials enable direct access to the services and data that they were meant to secure.
Attackers with stolen credentials can connect to cloud resources directly, without the need to bypass any perimeter security that the organization has in place to protect their on-premise infrastructure. It’s like securing your front door and windows but leaving your back door unlocked. It only takes one well-intentioned but negligent employee to undercut a company’s entire security infrastructure with ill-protected passwords, and there have been many recent examples of how this has impacted businesses of every size.
A Credential Manager is not the Complete Answer
To solve credential storage issues amid the increasing adoption of online services, many users have turned to credential manager applications like LastPass, Dashlane, and 1Password.
Predictably, attackers have found these applications to be attractive and, in some cases, soft targets. For example, popular password manager LastPass has suffered from eight separate security incidents (that have been publicly disclosed) since its inception.2 These breaches compromised encrypted copies of some users’ password vaults and other personal information, and in one case even allowed attackers to access the company’s cloud storage and extract sensitive data.
Unfortunately, all types of credential manager applications are targeted by attackers, and there aren’t substantial differences between them when it comes down to credential security from a risk perspective. Substituting a token or a thumbprint for a human-typed password may be more convenient, but it isn’t necessarily more secure and therefore doesn’t entirely solve the credential security issue.
3 Ways to Enhance Your Password Security
Here are some key steps businesses can take to enhance their password security:
1. Consider centralizing online authentication by using an authentication broker like Google or Microsoft where possible
Using a Google account to access non-Google services enables users to select a single, strong password that they’re likely to remember vs. needing to store many different passwords in a credential manager.
Additionally, many authentication providers allow integration with multi-factor authentication (MFA) mechanisms. Google and Microsoft conveniently have their own proprietary MFA solutions that can be easily enabled for their users, and they also allow the usage of paid authentication solutions such as Okta and Duo.
2. Activate MFA whenever possible
Deploying MFA can significantly mitigate the risk of stolen credentials, since this can prevent attackers from successfully using a username and password combination when an account is also secured by a second authentication factor.
Even in cases where an online service doesn’t integrate with an authentication solution such as Google Authenticator or Okta, many of them still offer a second authentication factor via SMS/text message, a mobile app or email.
3. Review the use of any credential manager applications and strengthen configurations where necessary
While choosing a more secure credential manager solution would be ideal, single sign-on (i.e., via a Google or Microsoft account) isn’t available everywhere. Additionally, the need to securely store many sets of credentials makes credential managers necessary for many users.
Consider the following guidelines for credential manager deployment:
Select a credential manager with a strong track record of security. A bank that suffered a robbery every week probably wouldn’t be an attractive place to store one’s cash, nor should a credential manager that fails to secure itself be considered a credible option.
Ensure that the credential manager itself is secured by a strong password and a second authentication factor. The use of a credential manager should be avoided altogether unless MFA is available, because the risk of centralizing credentials without the added protection of MFA is simply too high.
Wrapping a set of passwords in another password (and nothing else) just increases the payoff available to attackers without increasing the burden of effort for them to mount a successful attack. MFA is key in using a credential manager application safely.
Consider where and how the credential manager stores encryption keys. Select a solution where the vendor doesn’t control or even store them, then ensure that the solution is configured to use only local storage of keys.
Under the hood, all credential managers are essentially encrypted databases. When a user authenticates to unlock their credentials, their password doesn’t directly decrypt the database itself but is actually used to decrypt a separate key that is then used to decrypt the database. Thus, the security of these encryption keys is a core issue in determining the security of the overall solution.
Allowing the vendor to store encryption keys for users’ databases creates yet another point of failure, since attackers can compromise users by stealing encryption keys from the vendor, potentially bypassing any strong authentication measures that the user has put in place. Fortunately, there’s no real need for the solution vendor to store encryption keys on their own system. Keys can be stored on a user’s local system and used locally while the vendor only ever has access to encrypted data. Solutions that offer local encryption key storage should be favored over solutions that don’t offer this option.
Don’t Wait for a Breach to Take Action
Does your business need a credential manager solution? While credential managers alone can’t fully protect you from attacks, there are significant benefits to using one with better security protections in place.
1Password is a credential manager with a positive track record in security. At-Bay policyholders now receive $100 in credit toward a new 1Password Business or 1Password Teams Starter Pack membership.3
Want to learn more about improving your credential security? This article explains how to implement a strong password policy to help keep your business secure. At-Bay policyholders can also contact security@at-bay.com with further questions.
Footnotes
1. Note that the term “credential,” as it is commonly used in the security industry and as it is used in this advisory, refers to usernames and passwords.
2. LastPass publicly reported breaches in 2011, 2015, 2016, 2017, 2019, 2020, 2021, and 2022. Sources: ExtremeTech, “LastPass Hacked for the Second Time in 6 Months,” 2022. XDA, “LastPass experiences another breach — what you need to know,” 2022.
3. Offer only valid for new 1Password customers.
