Cybersecurity has come a long way in the 20 years since I started. While it may seem like we have lots of challenges (and we do!) we’ve also developed brilliant technologies that make security easier and more effective. This Thanksgiving, I wanted to take a moment to step back and reflect on my two favorite cybersecurity innovations that have made everyone’s lives easier.
If only I could go 20 years back in time and show my colleagues an authenticator app! (Or heck, a smartphone, for that matter.) They would cry for joy.
Remember back when your only options for 2FA were a clunky keyfob or a printed list of one-time passwords that you crossed off as you used them? I do! Many people, such as doctors that worked at several hospitals, or finance clerks that managed high-value accounts, had to keep track of multiple physical hardware fobs which could get out of sync and need replacement at any time. It was a pain.
Then criminals started really ramping up attacks on your online bank account. They sent massive volumes of phishing emails, stole passwords, and started draining funds from everyday consumers. The financial industry quickly began recommending “out-of-band” authentication, where transactions had to be confirmed through a second communication method. This was also a pain.
What were the banks to do? Banks began sending a PIN via text message to customers’ mobile phones, in addition to requiring a password. Pretty much right away, criminals developed malware that infected your phone and stole any PINs sent to you via text message. Now our phones were under attack, too.
Smartphones changed the game. For the first time, consumers had a sophisticated computer in the palm of their hands. Soon, security companies rolled out “authentication apps” for smartphones, which could display a rotating one-time PIN, or even pop up a verification request, at any time. Today, over 81% of American adults have smartphones, which means the vast majority of us have access to high-security multifactor authentication, for free, in the palm of our hands. Today’s authentication apps offered strong security based on cutting-edge encryption and time-synchronization, simplifying security for hospitals, banks, businesses, and end-users. And for that, I am thankful.
Thank goodness for password managers! If you’re like me (i.e. a human and not a robot), your brain is not designed to remember a zillion different passwords, especially when they all have different complexity requirements (such as letters, numbers, doodles, sign language and squirrel noises).
These days, the average employee manages nearly 200 passwords. What’s more, credential stuffing attacks—where criminals try out your stolen password on a myriad of other web sites—are rising at alarming rates, resulting in massive financial losses, theft and data breaches.
Choosing unique passwords is more critical than ever for minimizing risk. It doesn’t matter how strong your password is if someone can steal it from a hacked web site, or your own infected computer, and use it to get into your online accounts. Criminals have automated tools that will take your stolen passwords and try them in a wide variety of other web sites.
“But wait!” you say. “I vary my password. I change the numbers around a little, or I add an exclamation point at the end, or I increment the year.” Sorry—the criminals are on to you. Their automated tools can easily generate variations of your stolen password and try these out, too.
Many companies tell employees not to choose a password they’ve re-used other places, but there is really no way to verify that if they are allowed to choose their own passwords. A recent survey found that 31% of people use the exact same password for “social+streaming” services as they do for more sensitive applications. The result is that organizations are left vulnerable to credential stuffing attacks.
Enter password managers. Password managers are extremely effective for reducing risk because they provide three fundamental services:
- Generate unique and strong passwords
- Store passwords securely
- Enable secure password sharing
Generating Strong Passwords
Many people forget about the password generation feature, but that’s half the value of your password manager! Left to our own devices, people typically choose guessable passwords, or passwords that are variants of other ones that they use and leave the door open for credential stuffing attacks.
Another major issue with passwords is that users often store them insecurely, leading to greater risk of theft. For example, many people store passwords in Word documents or text files on their computer or phone, or simply save them in a web browser. When their device gets infected with malware—as often happens—criminals automatically steal those passwords. They have automated tools to collect passwords from your system, organize them and add them to their databases. Then, your passwords are sold on the dark web and/or used to break into your accounts. You may never know until it is too late.
When it comes to password storage, there are two kinds of password storage options:
Cloud-based password managers offer both flexibility and security: you can logon from any device you want and still have access to your password repository. On the other hand, the cloud can get hacked, and, ironically, your cloud password manager account is also vulnerable to credential stuffing. Make sure to choose a strong “master” password and use two-factor authentication if you use a cloud-based password manager.
Password managers that store credentials locally are useful when you expect to login only from the device they are on. Many people who use local password managers still choose weak or duplicated passwords, because they cannot access their repository from other devices. However, the benefit of local password managers is that there are fewer opportunities for an attacker to break into your password vault compared with a cloud-based password manager.
Wait, aren’t we supposed to never, ever share our passwords? If that’s what you’re thinking, good job! It’s true, you shouldn’t share your password. That said, there are cases where teams need to have shared accounts, especially these days now that cloud applications are popular, and adding multiple accounts may be cost prohibitive.
Many people share passwords via email or cloud documents. These methods are risky, because the passwords can easily be stolen. Instead, you can use a cloud-based password manager! Popular password managers include team sharing options, which enable you to create access-controlled encrypted repositories for shared passwords, control their access, and communicate updates in a secure manner. Bonus: if an employee is unavailable or leaves the organization, their passwords are available to team members if needed.
Looking back, authenticator apps and password managers have changed the game when it comes to cybersecurity. They are low-cost, easy-to-use, and offer strong security that counteracts attacker’s most potent threats. Now the big challenge is getting everyone to use them! Let’s make that our New Year’s resolution.