Imagine that you receive an email from your work email provider requesting that you log in to review recent activity. You click on the button in the email and try to login to your account. The first login attempt oddly fails, but the second attempt works just fine and you’re into your account.
You must have mistyped your password the first time, right?
The reality is that you may have just had your password stolen. The attacker sent an authentic-looking phishing email and the website that you initially reached as a fake. After you submitted your password, the attackers simply redirected you to the actual website to try again without knowing any better.
With these credentials in hand, the attacker can easily read through all of your work emails, reset passwords for other accounts, and wreak havoc on an enterprise network.
In this post, we will take a look at how to avoid these kinds of risks using a password manager and other best practices.
Why passwords are important
Passwords are still the default authentication mechanism for the web. Biometrics (e.g. fingerprints and facial recognition) have replaced some passwords and two-factor authentication has enhanced security, but almost every web application and most devices still require a password.
More than 80 percent of data breaches were caused by weak or stolen passwords, according to Verizon. With a valid password in hand, attackers can leverage the user’s account to gain access to their other accounts or even protected network resources. Passwords are often the weakest link in enterprise security.
Despite the importance of passwords, most people fail to develop secure passwords or even use different passwords for different accounts. Nearly one-fifth of Internet users create the same password for most of their accounts, while the average password was less than 10 characters long.
What makes a password secure?
The difference between a weak password and a strong password comes down to the number and predictability of characters.
The amount of time that it takes to break a password with a brute force attack depends exclusively on the number of possible combinations (e.g. password length). The password “my awesome car is on fire” is exponentially more difficult to crack than the password “@y23k3!34” for a computer.
Of course, some attackers attempt to guess passwords rather than crack them with software. They might look for public information, such as a pet’s name, and guess the password. You shouldn’t use passwords that contain pet’s names, sports teams or predictable sequences for these reasons.
The most common passwords tend to violate both of these rules — they are short and easy to guess. For example, some of the top 100 passwords include “password”, “123456”, “qwerty”, “letmein”, “baseball”, “mustang”, “abc123” and “trustno1.”
The most secure passwords are both lengthy and random — and that often means a password manager is necessary.
How to manage your passwords
The problem with long random passwords is that they are difficult to remember. Even worse, the average person has nearly 30 discrete online logins. That’s a lot of passwords to remember — especially if you don’t use the same password multiple times!
Apple recognized these issues and built a password manager into its Keychain for iOS and MacOS devices, as well as an auto-suggest feature for passwords into Safari. Google Chrome introduced a similar password suggestion feature, and there are ways to store credentials securely in Windows.
The problem is that these passwords only exist in personal accounts. Many companies need to share passwords with multiple users and devices. Some password managers solve these issues by sharing passwords, but it’s important to evaluate their features and security before choosing one.
Independent Security Evaluators (ISE) recently published a scathing password manager assessment that found major vulnerabilities. In one case, the master password used to access a password manager was stored in PC RAM in plaintext, making it easily accessible to attackers!
How TeamPassword can help
Most password managers are built for individuals. In some cases, password managers have expanded to target businesses, but few began with an initial focus on businesses. This means that they lack many of the features that businesses need on a day-to-day basis, such as the ability to manage access.
TeamPassword was developed from the ground up with a focus on small business password management. Over the past several years, we’ve talked with business customers to find out exactly what they need and built a solution that’s ideal for them — all with AES 256-bit encryption.
Some core features include:
Secure password generator: The built-in strong password generator creates secure, randomized passwords on-the-fly for private or shared logins.
Two-factor authentication: Google Authenticator provides a second layer of security to access stored passwords, while backup codes ensure you’ll never get locked out.
Group management: Groups lets you quickly share logins and passwords with subsets of team members, external collaborators, or the entire team.
Browser extensions: Chrome, Firefox, and Safari extensions make it easy to access passwords in a quick and convenient way without having to retype them.
Account logging: TeamPassword’s activity logs enable administrators to see who’s using what passwords and when shared passwords are updated.
If you’re interested in trying TeamPassword, sign up here!
How to train employees
Password managers are just one step of ensuring password security. After all, they don’t prevent a compromised password from being used to access protected resources. It’s equally important to implement the right best practices and ensure that employees are properly trained.
Some best practices include:
Train new users: Employees should be trained on how to properly use password managers. With TeamPassword, we automate a lot of the onboarding by walking them through each step of the process.
Expire passwords: Passwords should be periodically changed in case they were unknowingly compromised. With TeamPassword, the process is a breeze since the new password can be updated organization-wide with a few clicks.
Other measures: All employee devices should have the proper antivirus and anti-malware installed to avoid attackers from gaining access to their computer, and therefore, the password manager.
Employees should also be trained on how to spot and avoid viruses, malware and phishing attempts.
The Bottom Line
Passwords are a critical part of any company’s cybersecurity plan. With more than 80 percent of data breaches arising from password issues, companies should invest in a password manager that both ensures that passwords are protected and makes it easy for employees to use them.
In addition, it’s important to set up the proper protocols and training procedures to avoid common password attack vectors, such as phishing emails or malware.
If you’re interested in trying TeamPassword with a 14-day free trial, sign up here!