You’re Only As Strong As Your Weakest Password
One of the most common help desk requests we deal with at Higher State is password resets and lockouts. Think about how many websites and apps you log into on a daily basis. And every time you forget a password or get locked out it takes time out of your day. Time to get the password reset, either through an email or phone call. And then, you have to come up with a new password (which is sometimes difficult). And then, you have to remember that new password. All in all, it’s pretty frustrating.
We all know that our passwords should be STRONG ones. No common names or number sequences. Oh yeah, and you should throw in some extra numbers or special characters. Sure there are tips to create strong, easy to remember passwords, but then what happens if you have to change your password on a regular basis?
One of my favorites was a co-worker who said she just added another number to the end of her password every time she had to reset it (which was something like every 90 days). So eventually she ended up with something followed by like fifteen 9’s. I guess that’s one way to do it.
Surely, you say, there has to be an easier way.
The good news is, there is!
The easiest way to protect your passwords and keep track of them is to use a password manager.
Password managers are nothing new. You’ve probably heard of them. Unfortunately, a lot of people continue to rely on their own brainpower to remember tens if not hundreds of passwords (or just recycle the same ones over and over). Which inevitably leads to vulnerabilities. In fact, only about 10% of users actually use a password manager.
Password managers help you do just that- manage your passwords. First off, they help you create very strong passwords for every app and site you use. They do this by generating a random string of letters and numbers that would be very hard to crack (and is equally difficult to remember). The passwords are saved to a “vault” that is protected by a user-created master password. So now you only have to remember ONE password!
Unfortunately, there is no perfect solution to password management. But, there are ways to minimize your risk and protect yourself, your employees and your company data as much as possible. By selecting the right third party password manager, you can protect your credentials from most types of attacks.
And given the alternatives, such as remembering your own passwords by writing them down somewhere or recycling and reusing passwords, a password manager is far more secure.
Best bets and costs
Some of the best bets for Password mangers for business solutions are:
LastPass (has a FREE version, then up to $6/user per month)
Keepass (FREE and opensource)
Dashlane (has a FREE version, then up to $10/user per month)
1Password (has a FREE version, then $3/user and up per month)
How to use them with employees
Businesses may already have a way to manage many of their employee’s passwords. Large enterprises may be able to employ a Single Sign On (SSO) to manage online services. But there are always gaps. And many smaller businesses may not be able to afford an SSO. So employees are left on their own to create and remember their passwords.
This particularly affects employees in admin roles, who many have hundreds of sets of credentials, depending on the size of the business. And if they are responsible for generating and remembering all their own passwords, it’s almost guaranteed they are reusing passwords.
For a fairly low cost, password managers can pick up the slack. And many have grown in recent years by adding business-friendly features. “That includes administration tools for enterprise customers and separate vaults for business and personal passwords so that employees can take their personal password lists with them if they leave a company (CSO Online).”
Why do they cost money?
Like the saying goes, “nothing in life is free.” And like any good service, password managers typically aren’t free (but I would question almost anyone that would or could provide a service like this for free given the impressive amount of data they must safely store). But the trade off is the time saved and minimized risk of losing business data to a hacker. No more downtime from your employees while they wait to get their passwords reset. And no more wasted time on the part of your IT department that has to stop what they’re doing to get someone back up and running. And it’s less likely that your employees are recycling the same passwords they’re using for their personal email or social media accounts, which are often the subject of hacking.
Are they safe?
While no password manager is 100% safe, there are still more pros than cons. First of all, if you’re not using a password manager your employees are probably writing down all their passwords or just recycling them. Which is either way, very very unsecure. Or maybe they store them all in a spreadsheet on their computer. Which is an even bigger no-no as someone could easily hack the computer and gain access to the files. To learn more about this, read our latest article on phishing scams, which are targeting businesses more and more.
Most cloud-based password managers use zero-knowledge security protocols. These encrypt users’ master passwords with an encryption key that is then stored ONLY on the users’ devices. So, in actuality, the password managers don’t even know the master password. The encryption uses and algorithm that converts a string of text into a longer string, and is very difficult for hackers to crack.
Also, good password managers also utilize 2 Factor Authentication and do not allow you to recover you master password (as this could be an “in” for a hacker).
What about browser managers?
Browser password managers are really handy. They pop up every time you enter a new password and offer to save it for you. While the security for most browser password managers has increased, they are still more vulnerable to attacks than third-party managers.
For one thing, they don’t typically generate random passwords, which is one of the best ways to make sure your passwords are secure. Browser password managers are also more vulnerable to browser attacks. Though the passwords are encrypted through the browser, it still does not provide the same level of encryption that a password manager does.
Also, browser managers tend to rely on auto-fill. This handy feature has been used by digital ad companies to scrape user data, and could potentially be used to scrape passwords.
And then think about what happens if all your employees did this on their work computers. Someone could hack your browser or network and potentially have access to your business information and data instantly!
Tips for using a password manager safely
Make sure your password manager DOES NOT have password recover- this may seem counter intuitive, but if a method exists to recover a master password, then a hacker could exploit it.
Use 2 Factor Authentication – this adds another layer of defense between your account and a potential hacker
Don’t use auto fill – log out of your password manager and copy and paste your passwords instead.
Use strong passwords – make it hard for hackers to guess!
Make sure every password is unique – this way if a hacker guesses one, they won’t have access to all your accounts.
Keep your software up-to-date – this keeps security patched up-to-date.
Be careful when downloading programs, files and browser extensions – these could house malware.
For more information on this, visit Techlicious.
HST can help you as well by providing monitoring, backup services and even employee education and support. Give us a call today at (512) 900-9478 or email firstname.lastname@example.org for more information.
Author: Meredith Clark
About Higher State Technology (HST) Since 2004, specialists at Austin-based Higher State Technology (HST) have provided implementation, troubleshooting, hardware, software and managed services solutions for multi-location companies and for solopreneurs. HST helps companies safeguard their IT assets through network protection, backups and disaster recovery, anti-malware and anti-spam protection, and other risk management services. HST offers remote and onsite IT support and management tailored to the needs of each client. For more information, visit www.Higher-State.com.