Password Managers: A Solution to Weak Passwords and Password Reuse

Users may find themselves inundated with advice from IT professionals on good (and bad) password hygiene. By now, most people understand the difference in security afforded from a weak password (e.g., “password,” “123456,” “Facebook1”) and a strong password (e.g., “&e9_qF2`”*8>av1”). But fewer users fully understand the dangers of password reuse. Those that do still often chose convenience over security, despite the risks.

Why? Quite simply, the sheer volume of passwords one needs to remember in today’s hyper-connected world can be downright intimidating. Personal browsing, home financials, and the workplace: to comply with password “best practices,” these three areas of daily use require difficult-to-remember unique passwords. The hoops to jump through are many. Ideally, each password contains a robust mixture of upper- and lower-case letters, numbers, and special symbols.  Each password shouldn’t use “leet-speak,” or spelling out words using symbols (e.g., “Pa$$word” instead of “Password”) because hackers anticipate this sort of “obfuscation.” Finally, each password would completely change in a randomly-generated manner every 3-6 months (and in many cases much more frequently).

With that in mind, it’s easy to understand exactly what motivates a user to pick just one password. But the risks remain. Recent breaches at respectable, well-known sites with users numbering in the hundreds of millions have exposed cross-site password reuse as a critical security issue. People generally underestimate the ability of cybercrooks to take a data leak from one site and apply it across relatively huge swaths of the internet. But the increasingly professional services offered through criminal underground networks are able to do just that: take a batch of poorly protected passwords from, say, a LinkedIn breach in 2013 and cross-check accounts on GitHub today, gaining access to any accounts sharing the same e-mail address usernames and passwords.

If avoiding password reuse while maintaining high-quality credentials leaves you feeling a bit overwhelmed, rest assured that a tool exists to help you with the most complex password requirements imaginable. A password manager application acts as a secure repository for credentials (no more scribbling passwords on bits of paper!), ergonomically dispenses usernames and passwords (no more finger gymnastics typing out a password 20-characters in length!), provides randomly-generated passwords, and optionally prompts users to change passwords after a certain period of time has elapsed.

Essentially, a password manager is a program that handles all the difficult tasks of good password hygiene for the user. Users need to create one strong master password for accessing the manager, and the application will store and dispense all other passwords. Secure cut/paste and auto-type are two features many password management programs use to dispense credentials. The former ensures passwords don’t create a security risk by lingering on a clipboard while the later greatly eases and speeds the actual act of entering credentials.

Users freed from having to remember complex passwords unique to each login, coupled with a password manager’s abilities to securely paste or autotype credentials, should take advantage of random password generation features for maximum security. With no need to remember or manually enter credentials and the ability of many programs to quickly generate complex passwords, there’s no good reason not to use as strong a password as possible in all instances. Typically, password managers show the relative strength of any given password for reference. Use these tools to ensure passwords are as strong as possible. Sit back and let the program not only memorize that 64-character behemoth containing a mixture of letters, numbers, symbols, and cases, but also let it do the heavy lifting on typing it all out with only a few clicks. And unlike people, password managers never flub a keystroke when entering logins.

The drawbacks are few, but critical to understand before adopting a password manager. Foremost, this will be the receptacle into which all of a user’s precious credentials are placed. If the master password is forgotten or stolen, all may be lost or, worse still, compromised by hackers. Obviously, it’s crucial to set a password that’s as strong as possible, but still something easily remembered and typed. Even if it’s a pain at first to enter a stronger-than-usual password, it quickly becomes a daily routine...much like logging into Windows.

Another drawback hinges on portability. If a user allows the password generator to choose 64-character passwords, they’re very unlikely to remember them (if they even make an attempt). So anytime they’re parted from their password manager may mean the inability to access an account. Luckily, good password managers are highly portable. Many have corresponding smart-phone apps. Most also are light-weight and easy to transport and deploy via a flash drive or SD card. On-the-go business people already routinely use portable storage devices, so adding a small password manager is a simple and elegant mobile solution.

Setup becomes the main hassle involved with adopting a password manager. Collecting and entering a lifetime’s worth of login credentials can turn into a slightly daunting task even for those who don’t leave much of a digital footprint. Setting up auto-type options to work with various sites also can be a time-consuming process. Even so, the payoff once everything’s up and running greatly exceeds the time and effort of setting up a password management application.

Increased security, better passwords, unique random password generation, and ergonomic benefits should make adopting a password manager today a no-brainer. With a password manager integrated into day-to-day business processes, management can rest assured that credentials will remain both robust and unique and the perils of weak passwords or password reuse will never negatively impact the company. 

Interested in exploring which password management system fits your organization’s needs but uncertain where to start? True Tech Consulting provides IT guidance and professional services for small- and medium-sized businesses. Contact True Tech Consulting today for a site evaluation.

Trends in Malware: Crypto-Ransomware

There’s a good chance you’ve seen recent news stories regarding a family of malware currently making the rounds from small businesses to major hospitals to critical infrastructure such as water treatment stations. Ransomware, or crypto-ransomware, attempts to infect vulnerable computer networks through various methods, encrypting vital files and programs in order to collect a ransom payment from the victim. If the victim pays the ransom, they receive the cryptographic key needed to return their files to normal.

Although many different versions exist, most crypto-ransomware shares key traits. For example, most strains use strong encryption protocols to scramble your data, making it unusable without the key, the only copy of which belongs to the crooks running the malware, of course. Another similarity is the use of Bitcoin payments on the dark web, usually through the Tor network, as the main forms of payment and delivery.

While a ransomware attack can devastate an unprepared network, spreading from computer to computer, a few easy-to-implement defensive postures can go a long way towards preventing such a malware infection. There are even ways to recover from a successful attack without paying the ransom…provided your IT staff took the proper precautions ahead of time.

First on your list should be keeping your OS and apps up-to-date. Make sure you’re running the most current antivirus definitions, operating system patches, and software versions. Doing this ensures your applications aren’t full of security holes from years ago. Just in the last several months, updates have been rolled out that close several of the vectors for ransomware attacks. You should be doing all these updates under “IT best practices” anyways, so if you’re not, hopefully the threat of ransomware will spur you to action.

The next step is educating yourself and your staff. Ransomware thrives on the ignorance of poorly trained office workers by tricking them into opening booby-trapped e-mail attachments. The attachments appear scrambled and prompt the user to enable macros for proper viewing. Once enabled, the trap is sprung and the ransomware can take hold of the workstation and spread across the network. Training workers not to open unsolicited attachments from e-mails, double checking that macros in Microsoft Office are disabled, and having a clearly defined process for dealing with “mystery” e-mail attachments all reduce the risk of ransomware infection.

Instead of enabling macros to read an attachment, use Microsoft Office Viewers.  Available for free from Microsoft’s website, viewers are easy-to-use and will allow you to open, view, and print attachments without the need for enabling macros. Since programs like Word Viewer and Excel Viewer don’t allow macros, they are much safer to use on suspicious e-mails than simply opening them in actual Word or Excel.

Last but not least, having a properly configured off-site backup solution in place is essential for restoring data in the worst case scenario of a crypto-ransomware attack succeeding on your network. Ransomware often encrypts backup files (such as Windows Shadow Copies) that are stored locally on the network, preventing their use in restoring files. For this reason, redundant copies of all data backups should occur to an off-site repository such as a cloud data storage service. Since the cloud is separate from your company’s network, even if everything in the network falls victim to encryption, your off-site data is safe…and available for restoration to the last backup point.

Crypto-ransomware can cripple an unprepared company entirely. Paying ransoms is expensive and there’s no guarantee you’ll be given a key, or get all your data back in one piece. You are dealing with criminals, after all. By taking the proactive steps of training your staff and properly configuring the network and software, your company can greatly mitigate the risk of becoming infected by crypto-ransomware.

True Tech Consulting specializes in helping small- and medium-sized businesses implement proper network configuration, security, data backup and disaster recovery. If you’re worried about ransomware or other threats to your business, give us a call for a free consultation today!