World Password Day was celebrated earlier this month with some sobering statistics that may have people rethinking the use of their daughter’s middle name or favorite Italian dish as the basis for all of their security. MSPs can only hope that is the case because client employees that choose to use weak passwords can put the whole enterprise at risk.
Password security firm LastPass released findings this month from its third “psychology of passwords” global report that show some sloppy password habits from people who should know better. Even with all the publicity about compromised passwords, LastPass reported that 91 percent of people know that using the same password on multiple accounts is a security risk, yet 66 percent continue to use the same password anyway. With people spending more time online, the evolution of cybersecurity threats and the unchanged behavior in creating and managing passwords creates a new level of concern around online security, LastPass reports.
The global survey that polled 3,250 individuals across the United States, Australia, Singapore, Germany, Brazil, and the United Kingdom provides evidence that increased knowledge of security best practices doesn’t necessarily translate into better password management. For MSPs, this means another front in the war on hackers.
Passwords reaching their end?
The current pandemic is impacting all areas of IT, and that includes some of the tried and true tools of security. Passwords are one example of this, and some have speculated that the COVID-19 crisis might finally be the impetus that pushes them aside. In fact, Forbes trumpeted the possible pandemic demise of passwords in a recent article entitled Could Coronavirus Finally Kill Passwords?
Dark Reading also tackled the topic recently. Brad Brooks, CEO of OneLogin, told Dark Reading that the COVID-19 work-from-home experience would move many companies forward. But even if they don’t deploy new authentication technologies right away, Brooks told Dark Reading, businesspeople recognize that something has to change.
With legions of employees working from home, passwords have gotten more casual along with workplace dress. Just like someone is more likely to wear pajamas to work when they are staying at home, they are more likely to be seduced by the familiarity of home to choose unimaginative passwords like 12345 and password. Consider these “pajama passwords.” Lazy and easy to hack, and they can put a network’s security in jeopardy. Throw in a pandemic, and that adds another avenue for hackers. For instance, one current scam involves pointing people to an online map that purports to track COVID-19 cases but actually steals usernames, passwords, and credit card numbers stored in a user’s browser. Stolen passwords have long been a blight on businesses and a source of data breaches, but will the pandemic sweep passwords aside for good?
Not so fast, says Adam Doupè Associate Professor in the School of Computing, Informatics, and Decision Systems Engineering at Arizona State University. Doupè is a leading expert on password security and technology.
While Doupè tells Smarter MSP that passwords have a lot of problems, they still remain the workhorse of cybersecurity, and the pandemic doesn’t appear poised to change that, although it could focus attention on best practices and pave the way for something new down the road.
“The pandemic may help people realize all the flaws that passwords have,” Doupè adds.
One of the best tools that MSPs can use, Doupè advises, is to “attack” your own client’s passwords. There are plenty of programs of varying sophistication (and cost) that MSPs can run to sniff out the weakest passwords in an organization.
“If you can break them, then you can let the employee know. This simulates attackers and their capabilities, but you have much more visibility into your system, so you can do it better than an attacker,” Doupè says
Of course, packaging a password as part of two-factor authentication (2FA) access is optimal, but that can up usability issues, he adds.
The case for single sign-on
“SSO created a lot of buzz initially, but trust ended up being a buzzkill,” Doupè says. The thought was that a person could access all of their accounts through a platform like Facebook, Twitter, or Google.
“This has burned users, and they are now wary of linking to these sites. The user experience is also not great for a lot of these things,” he states. Doupè, like many, initially thought SSO held a lot of promise, but it hasn’t lived up to its billing.
Doupè’s other suggestions for MSPs include watching accounts for unusual activity. AI is an excellent tool for analyzing usage patterns. If someone typically is only logged in between 7 a.m. and 4 p.m., and suddenly you are seeing Maria from accounting logged in a 2:30 AM, that could be a red flag.
Doupè adds that at the very least, the COVID-19 crisis might spark discussion about authentication.
“There needs to be a big structural change in the way we approach authentication, but it would take a big company offering a single sign-on that guarantees anonymity,” Doupè concludes.
In the meantime, MSPs need to be extra vigilant about monitoring “pajama passwords” during a time when people are more concerned about coronaviruses than computer viruses.
Photo: Vitalii Vodolazskyi / Shutterstock