The state of password security is best illustrated by looking at the rise in credential stuffing attacks. By combining login software with proxy servers, hackers bombard targets with username and password combinations harvested from previous data breaches. The attacks are usually successful because people tend to re-use weak passwords between online services.
While most of these attacks focus on ecommerce and gaming websites, a similar technique known as password spraying is commonly used against smaller businesses. Hackers compile a list of usernames for a target system and test each one against a set of common passwords. Employees with weak passwords end up becoming a gateway for hackers to breach a network.
Let's take a look at how password managers can mitigate these risks and how to choose the right option for your business.
Weak passwords are at the center of many data breaches and the solution is simple — a password manager.
Why Use a Password Manager?
Most employees are aware of password security best practices, but most employees don't follow the rules. Of course, the problem is that creating a unique password for each service and remembering them is challenging — especially when the passwords need to be changed on a regular basis! But, it only takes one weak link to compromise an entire network.
Password managers are essentially a password book that's locked with a master key that only the employee knows. Instead of remembering 147 different passwords (the average number for a small business team), they only have to remember a single password. The password manager handles the rest by recalling passwords and even auto-filling them in browsers.
In addition to managing passwords, password managers can easily generate random 20-character passwords on demand. Even with a fast hashing algorithm like MD5, a genuine 20-character password would take an enormous amount of time to crack using brute force methods. Passwords can even be customized to meet unique password requirements for various web services.
Password managers aren't perfect. In fact, a recent audit found that several password managers exposed some passwords in a computer's memory when the apps were in "locked" mode, which could enable a hacker to access them. Despite these vulnerabilities, experts and ethical hackers agree that using a password manager is always a better bet.
Comparing Password Managers
There are many different commercial and open source password managers out there. In addition, some operating systems have started to build password managers of their own. MacOS' password manager uses the laptop's password, fingerprint or facial recognition authentication methods to unlock web passwords that can be used with Safari's built-in support.
The most popular commercial password managers include:
- DashLane is one of the most popular password managers thanks to its support for Linux, ChromeOS and Microsoft Edge browsers, as well as its ability to bulk-change passwords.
- LastPass is well-known for its feature-rich free version and extensive two-factor authentication options, while supporting a wide range of popular platforms.
- Keeper has some of the best security when it comes to password generation and encrypted storage, as well as browser extensions and a web interface.
- 1Password provides some of the best categorization options to keep passwords organized, as well as strong form-filling capabilities that support many browsers.
- Enpass is a popular option for people looking for a free desktop option that keeps data off-line.
In addition to these paid options, there are many open source password managers available. KeePass is one of the most popular options that's licensed under the GPL. While it's not quite as user friendly as commercial password managers, it offers strong security that's backed by its open source nature that enables anyone to view the source code.
Personal vs. Business Password Managers
Password managers are a great way to manage each employee's passwords, but they fall short when it comes to sharing passwords between employees. While it's possible to simply share a password and have each employee save it, the process breaks down when the password is changed and that change needs to persist across all of the employees that use it.
Many companies use password-protected spreadsheets to share passwords, or even worse, Google Sheets that are protected only by an obscure URL. If an attacker gains access, these spreadsheets can quickly turn into a massive data breach impacting every online service on the list. Therefore, these solutions should be avoided at all costs.
Jungle Disk's TeamPassword enables team members to create, access and share passwords in a secure way with many of the same features as individual password managers.
Some of the key features include:
- Group management tools enable you to share logins and passwords with a subset of team members, external collaborators or the entire team. By using "least privilege", you can minimize the odds of a data breach.
- Logging and reporting let you see which logins are being used, which ones aren't, and when your shared logins are being updated to quickly spot any abnormalities. You can also receive email notifications for any important actions.
- Two-step authentication using Google Authenticator adds another layer of security. You can also generate backup codes to ensure that you're never locked out. And of course, all passwords are fully secured in a PCI/DSS compliant way.
- A password generator enables you to quickly create secure, randomized passwords on the fly, while a browser plugin makes it easy to use the passwords with minimal effort.
Sign up for a free 14-day trial (no credit card required) to see how TeamPassword can improve your team's credential management and minimize the odds of a data breach.
The Bottom Line
The dramatic rise in credential stuffing and password spraying attacks is a sign that password security is woefully inadequate. For every high-publicized data breach, there are countless other quiet data breaches impacting small businesses — and many businesses don't survive them. Password management is critical to maintaining cybersecurity.
Jungle Disk provides a comprehensive cybersecurity suite that's specifically designed for small businesses. For an affordable per employee per month price, you can access active network protection, encrypted cloud backup, password management and other critical cybersecurity infrastructure to keep your business safe without breaking the bank.