Let’s start of this week’s blog with a confession. Here at Click Studios we want businesses to buy and use Passwordstate! When you buy licenses for our products, and take-out Annual Support and Upgrade Protection, you help us to maintain and grow our business. We don’t deny that.
However, take a look at our pricing structure and the catch-line on our website which summarizes our philosophy. Password Management Should Be Affordable For Everyone. Because It’s Important.
We genuinely believe that all businesses should have the opportunity to access a secure, flexible and affordable Enterprise Password Management System. One that your IT and Security staff can use to access and share sensitive password credentials. Without a solution like Passwordstate,
- How do you centralise control of, and allow secure access to, these sensitive credentials?
- Do you know who is accessing your privileged credentials and when are they doing it?
- Can you provide access to them based on an employee’s role?
- Can you quickly change them when an employee leaves?
- How do you ensure these critical passwords aren’t being copied, changed or exported for other uses?
- How can you manage password resources on discreet networks?
- Is your password store secure?
- Can you rely on access to your passwords when you really need them?
If your business uses Information Technology, in any fashion, then the above points are important and relevant. Your accounts, especially those with higher privileges can be used to exploit your most sensitive information and critical systems. Privileged access gives individuals the power to alter your data, change the configuration of applications and infrastructure and have the potential to cause you irreparable reputational and financial damage. If this were to happen would your business survive?
Credential Breaches Are Real!
On 2nd February 2021, Cybernews reported the Largest compilation of emails and passwords leaked for free on public forum, with more than 3.2 billion unique pairs of cleartext emails and passwords leaked on a popular hacking forum. This is known to be an aggregation of past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and other sources. This is referenced as a Compilation of Many Breaches or COMB.
A subset of entries contained in a previous COMB in 2017 were tested by Constella. They found that “most of the tested passwords worked” and “Given the fact that people reuse passwords across their email, social media, e-commerce, banking and work accounts, hackers can automate account hijacking or account takeover”.
What’s more the breach isn’t just a list of stolen credentials, but rather an interactive database that allows quick searching of credentials. In other words, it allows the lookup of specific credential sets to make selective targeting of individuals and businesses easier!
You can find the full report on Cybernews website: https://cybernews.com/news/largest-compilation-of-emails-and-passwords-leaked-free/ and reference their data leak checker: https://cybernews.com/personal-data-leak-check/
Implications and Impacts
The implications of this breach may be far reaching (I would have said unprecedented – but that word was done to death in 2020!). The majority of people still reuse their passwords and usernames across multiple accounts.
This gives our unfriendly Cyber Criminals a head start with rich information for credential stuffing attacks. The unfortunate fact is that if a user has the same passwords for their LinkedIn or Netflix accounts and an email account, then attackers can and will target other more important business accounts.
These users typically become recipients of targeted Spear Phishing attacks, receive high levels of spam emails and imposter attacks via social media platforms.
Use Passwordstate to Protect Your Assets
First, get Passwordstate up and running within your business! If you already use it then look at how you can improve it’s use within your business. If you don’t have it installed then download the 30 Day Free Enterprise Trial here. You can see how affordable our software is here.
Second, stop reusing passwords and usernames across multiple accounts. If you do, and your account details are compromised in a breach, it’s just a matter of time before your other accounts are targeted. And it’s not just Celebrities and Millionaires that are targeted with Spear Phishing attacks. It’s also Help Desk Staff, Accounts Payable Clerks, Middle Management and those IT workers with increased privileges (yes, I’m talking about you System and Network Admins). Setup Password Strength Policies and Generators in Passwordstate that create unique, strong passwords every time.
Third, regularly reset your passwords automatically. Don’t keep the same passwords for ever. It’s not that hard to change a password every 90 days (just an example, your IT policies may require shorter timeframes). It you’ve got lots of accounts then stagger the resets to make it manageable. Use our tools like Browser Extensions, to automatically generate and save an updated password back to Passwordstate, when changing it online. Automate wherever you can to make your life easier!
Then look at implementing 2 Factor Authentication where it makes sense. You can still do this if you use Single Sign-On and you can selectively target accounts. View your accounts as assets and manage them based on risk and impact. As an example, Banking Accounts and System Administrators Privileged Accounts should always have 2FA enabled. Even if your credentials are compromised hackers can’t access the account if you use 2FA.
Be informed, take control of your assets and as always, we welcome your feedback via support@clickstudios.com.au.