How to secure passwords – why multi-factor authentication?

Why passwords are every company’s one of the biggest risks?

Personal passwords should be a concern for  a security manager in every company. Managers need to prepare Identity management policies, password policies and there is a lot of items which needs to be taken into account. You can ask why. Well, we all have at least 30 different accounts and associated passwords. I have checked my list and at the moment I have to handle 483 passwords! And what does it mean? Passwords reuse!

Most of users will have to resort to one of those bad and risky practices like:

  • Passwords kept in excel or other file
  • Notepad with passwords
  • Use the of  the same password with something added to it for e.g. April11, LinkedinApril and so on – those are very easy to discover patterns

Once one of the user accounts is compromised for e.g. personal e-mail or online shop, not only user password habits will be discovered but plenty of details about that person, which can be used to compromise other accounts used by her him.

Only a couple of days ago a security researcher Troy Hunt published information about particularly dangerous breach disclosing  1,160,253,228 unique combinations of email addresses and passwords. Sooner or later those passwords will be used for testing various accounts in an attempt to discover password reuse.

Ok, so what is the solution? How companies should protect themselves?

On the strategic level we should adopt a recognised cybersecurity management framework like ISO 27001. This would help you to implement the following:

  1. Invest in training your end users! Information security awareness and training is a proven way of  making users familiar with company policies and recommendations and more responsible and accountable for their actions. DMZ IT can assist you with it – get in touch!
  2. Implement basic information security procedures such as password security, malware control or incident detection and reporting.
  3. Proper management of privileged accounts like administrator accounts – please remember that according to Verison 2018 Data Breach Investigation Report – System Admin was the highest variety involved in breaches. So the allocation and use of privileged access rights should be restricted and controlled.
  4. Monitor and review logging of all authentication and authorisation actions including log preservation. 63% of data breaches took months or longer to discover according to Verison 2018 Data Breach Investigation Report.
  5. Terminate accounts which are not in use – i.e. staff contractors or former employees.

What can we do on the user level?

  1. Use two factor authentication whenever possible, particularly for all privileged accounts – in case when password is compromised, an attacker cannot get access to your system without secondary verification method. Encourage your staff to enable two factor authentication even for personal accounts like outlook.com, gmail, facebook, LinkedIn and so on. Our security awareness training can assist. For the company you can use Azure Multi-factor Authentication.
  2. Consider implementation of password managers. Software for storing user credentials. I have been asked by one of my students recently – can you trust those programs? That’s is a very good question – my answer was that they are much safer than storing passwords in Word or Excel document or repeating passwords with common words or phrases. Solutions like 1Password have a functionality called Watchtower which can detect which of your passwords have been compromised or reused or which one is not strong enough. Obviously password manager is only a part of the solution – your overall approach to cyber security is a key.
  3. Reduce number of passwords required by use Single Sign On solutions like Azure Multi-factor Authentication for both cloud application and on premise. We can assist you with assessment and implementation.
  4. Regularly monitor your accounts and domains using Troy Hunt service at Have I been Pwned – you can enter an e-mail address or your domain and verify if and whether this account have appeared as compromised – please have in mind that at the moment of writing this post they hold records of 6,474,028,664 compromised accounts.

Please get in touch and we will help you with implementation of the best solution for you.