Passwordstate is trusted by more than 29,000 Customers and 370,000 Security & IT Professionals around the world, with an install base spanning from the largest of enterprises, including many Fortune 500 companies, to the smallest of IT shops. This week’s Blog references some content from an article published by David Walker for CPA’s online magazine INTHEBLACK in late 2019. The article can be viewed here.
The Importance of Aligning to Industry Standards
Strong password protection is an essential element of an organisation’s Cyber Security controls. This not only includes implementing a capability like Passwordstate but also extends to ensuring there is an understanding by employees on why it needs to be used, how it should be used and in the ongoing review of who has access to and is using your privileged accounts.
Whilst there are a number of Standards that can be adopted, I’ve used the NIST Cybersecurity Framework Version 1.1 for this blog. Using the NIST Framework, you may have;
- Identified the importance of your privileged accounts in the support of critical business functions, and,
- Protected these privileged accounts through the implementation of Passwordstate.
However, the story doesn’t end there. You still need to implement ongoing user awareness and training on the importance of managing your password credentials. This needs to be supported by appropriate policies and procedures, and Detecting any anomalies or unusual events in the audited access of those accounts.
Following Good Password Practices
Once you’ve got Passwordstate installed and have imported your privileged accounts there are a number of good practices that should be followed. These practices are especially important in organisations that have a Cloud First Strategy e.g. acquire Cloud Based services such as Cloud based Accounting in preference to locally hosted capabilities.
- Use unique passwords
- Only manage these passwords within Passwordstate
Use Unique Passwords
The single biggest cause of password credentials being hacked relates to daisy chaining passwords. This is where a common username, such as your email address, is used across multiple web front-ended systems and the user chooses to use the same password for each of these systems. All it requires is for one of these sets of password credentials to be compromised and all sets using the common username and password are now at risk of being compromised.
To prevent this all passwords should be unique. Passwordstate provides the ability to specify a password generator policy that is used to generate all passwords for an account. Administrators can enable a setting forcing the use of a Password Generator and by defining a Password Strength Policy. The default Password Generator and Strength Policies can be set at a global level, or for each Password List.
Only Manage Passwords within Passwordstate
It should go without saying, to ensure your password credentials are known, accurate and secure, you need to manage them. If your passwords are manipulated outside of Passwordstate then you cannot easily confirm what they are and who they are being used by.
To ensure your password credentials aren’t being changed outside of Passwordstate you should review accounts that fail their Heartbeat Validation. This option is available for on-premise systems and uses a Heartbeat Validation check to confirm the password recorded in Passwordstate matches against the account on the target system.
For web front-ended systems, you should use Passwordstate’s Browser Extensions and store your credentials within an appropriate Password List. Browser Extensions allow you to generate new passwords based on your defined Password Generator and Strength Policy. If the password stored within Passwordstate doesn’t match the password required for that system you can confirm the last person that legitimately accessed the password credentials from the auditing table or by running a report.
Reset your Passwords Regularly
Passwordstate makes it very easy to reset your Passwords regularly by taking the option to enable password resets on a Password List’s Properties. You can also set a default password reset schedule and new expiry dates for the Passwords.
Again, for web front-ended systems, you should setup a scheduled report to confirm what web-based password credentials need to reset. To do this you would create a report, based on what passwords are expiring soon, and schedule it to run periodically. You can specify the Password Lists you want to report against, as well as the length of time before those passwords expire.
2FA (two-factor authentication)
2FA is a great way to apply an additional level of protection. It requires an additional level of authentication apart from the username and password combination to securely authenticate a user. Passwordstate supports a range of popular 2FA options including Google Authenticator, RSA SecurID, Duo 2FA and many others outlined here.
As always, your feedback is welcome via support@clickstudios.com.au.