Where do we store our passwords or How to outsmart hackers?
Over the past few decades the world has witnessed a massive digital transformation. Businesses began moving their value-generating engines to interconnected systems and putting greater reliance on internet communication. Employees began using email and workstations, and by this point are even connected at the hip by way of mobile devices. Servers — previously a collection of warm, whirring monoliths in a room downstairs — now exist in the cloud. Corporate dependence on technology is not only all-encompassing, it is growing deeper and even more fundamental as the years go by. Because the fastest, best organizations are also the ones continually adopting better technology, there is no way to stop or even slow this continuing digital transformation. To get a sense for the scale of the problem, let’s dial it back down to the IT risks that exist for a very small business. Even the simplest of mom-and-pop operations are subject to the digital transformation — consider the barest minimum of business computing: a spreadsheet on a workstation containing customer records. An entire small business can live in that file, but that file must be stored somewhere secure, must be backed up, and must have appropriate permissions. And that file faces a number of ongoing risks — its host machine contracting malware, hardware failure, weak passwords, malicious actors, and so on. Now extrapolate that out to the size of an enterprise — countless sensitive files spread among thousands of employees and thousands of servers with an ever-changing infrastructure — and it is easy to see one way in which the quantification of IT risk becomes very complicated, very quickly.
As the number of services offered on the Internet continues to increase, the number of passwords an average user is required to remember increases correspondingly, to the point where it is no longer feasible for most people to remember a new, strong password, for every account. Users typically solve this problem in one of two ways. A common solution is to reuse the same password on many different websites(in my opinion, it’s dangerous because if the password is stolen, the hacker could reuse it in any other services if he wanted to-he probably would, that’s his world). Another approach is to use a “password manager” to store strong Passwords for each site. A „password manager“ is piece of software that requires a user to remember a single strong master password, used to decrypt the password manager’s database. Due to the sensitivity of the information typically stored in password databases, most password managers protect their content from unauthorized access. Database formats typically rely on encryption for data protection, where the encryption/decryption key is generated from a master password entered by the user. There are several types of managers, such as Locally-installed software, Web-based services and Token-Based hardware devices.
Localy-installed software is based on the user’s personal computer or mobile device, such as smart phones, in the form of a locally installed software application. These applications can be offline, wherein the password database is stored independently and locally on the same device as the password manager software. Alternatively, password managers may offer or require a cloud-based approach, wherein the password database is dependent on an online file hosting service and stored remotely, but handled by password management software installed on the user’s device.
Web-based services are a web-based version of more conventional desktop-based password manager. The advantages of online password managers over desktop-based versions are portability (they can generally be used on any computer with a web browser and a network connection, without having to install software), and a reduced risk of losing passwords through theft from or damage to a single PC — also the same risk is present for the server that is used to store the users passwords on. In both cases this risk can be prevented by ensuring secure backups are taken. The major disadvantages of online password managers are the requirements that the user trusts the hosting site and a keylogger is not on the computer they are using. With servers and the cloud being a focus of cyber attacks, how one authenticates into the online service and that the passwords stored there are encrypted with a user defined key are just as important. Again, users tend to circumvent security for convenience. Another important factor is whether one or two way encryption is used.
Token-Based hardware devices are a form of a token-based password manager, wherein a locally-accessible hardware device, such as smart cards or secure USB flash devices, is used to authenticate a user in lieu of or in addition to a traditional text-based password. The data stored in the token is usually encrypted to prevent probing and unauthorized reading of the data. Some token systems still require software loaded on the PC along with hardware (smart card reader) and drivers to properly read and decode the data.
Now, let’s talk about some PROS and CONS of „Password managers“. In my humble opinion, the biggest single point of failure in any system designed to ensure the confidentiality, integrity and availability of data is the human element. In a nutshell, a password manager is easy to use. Once a user visits a website and enters their username and password, the password manager captures the information, eliminating the need to remember those credentials in the future. Now, all that’s required is to enter the master password to log in to the manager itself. Another handy feature of password managers is the capability to create random passwords that use a mix of uppercase and lowercase letters, symbols and numbers. When a user creates a new account on a site, the password manager offers a secure, randomly generated password, enabling the user to move on quickly. Most password managers also encrypt the vault in which login credentials are stored — on the local computer or in the cloud — providing another layer of protection against hackers. Although they greatly ease the user’s burden, password managers pose a risk in that they present a single point of failure. Let’s say an attacker installed a keystroke-logger program on a computer and recorded the user’s master password. The attacker can then access the password manager vault and compromise the user’s accounts on all sites.
Whatever solution you find for your business, there are a few guidelines to keep in mind:
Although services do encrypt a user’s master password, they do not store the master password in the cloud, so it’s important for users to not only use a strong master password, but to change it every 60 to 90 days. As mentioned, to increase the security of a password manager, look for one that offers two-factor authentication.
While password is the most commonly used method of authenticating users entering computer systems, passwords are frequently targeted by attackers wanting to break into systems. It is critical that this first line of defence against unauthorised access is effective by rigorously practicing good password management policies. Different passwords should be used for different systems with respect to the security requirements and the value of information assets that need to be protected. Make use of other access control mechanisms to facilitate password management and reduce the effort required by users in memorising a large number of passwords. This should be enforced with good security policies and guidelines, supported by user awareness training and education on the best practices in choosing and handling passwords.
In addition, for effective information security management, consideration should also be given in areas including, but not limited to: physical security, data and application security, network security, and technologies for strengthening security protection, such as firewalls, VPN and SSL.
