Passwords Create More Vulnerabilities Than Ever

Passwords are still the most preferred method of authentication, and this traditional approach is not likely to go anywhere soon, which makes the fact that many businesses don’t manage them properly, confounding.

Amidst a global crisis, which has seen the world migrate to home working as standard, we’ve seen a plethora of new devices being granted access to company servers. With each device comes a host of new passwords that need to be secured and managed.

With a crisis comes opportunists—in 2019, 30% of ransomware infections were a result of poor password management. Specialized tools that deliver password and privileged information management are now more critical than ever, especially for Managed Services Providers (MSPs), who hold the crown jewels to many of the UK’s businesses.

As users suffer from password fatigue and default to password reuse, cyber-criminals are making it their mission to take advantage of this carelessness. As a trusted advisor, it’s the role of MSPs to ensure their clients credentials do not get compromised in the process.

In work-from-home environments, the idea of protecting a perimeter is outdated. The workplace cannot be defined as a physical location, so IT teams must shift from managing devices to managing people. The number of new devices and applications that organizations contend with, especially in the midst of a global health crisis, is making this more difficult for MSPs to manage.

What’s the first step to improving password security?

In short, get a good password manager. As MSPs, we’re on the front line of making sure our clients’ businesses are running smoothly. This means that we’re responsible for keeping assets secure—and password security is an important piece of this puzzle. Hackers are constantly evolving and finding new ways to innovate, so it’s crucial that we stay one step ahead of the game and ensure that all credentials are locked down.

At OryxAlign we’ve selected SolarWinds Passportal & Documentation Manager, a unified set of secure self-serve password management and privileged client knowledge management tools which enhance our offering while addressing risk and compliance requirements.

In order to always remain compliant, passwords must be changed regularly, and this is something that is easily implemented with a purpose-built solution. Our clients have the ability to achieve direct and immediate control and secure password management, without placing undue burden on our service desk—improving the experience for everyone involved.

Against all advice users often fall back on simple passwords, why is that?

IT support teams have become the embodiment of a nagging parent. We’re constantly in the position of reminding and encouraging users to have strong and complex passwords in order to ensure their credentials are safe. This is why it comes at no surprise that users often disregard this information or become increasingly frustrated, which helps no one.

Those that do comply get stuck in a process whereby they are creating and remembering those complex passwords—and it becomes tiresome. This means that they fall back on simple, hackable passwords that can easily be stolen.

Although simple passwords can easily be remembered and recovered at the user level, they can just as easily be breached. A quick Google search can yield lists such as “500 worst passwords” or “10 most common passwords”. These lists are a gold mine for threat actors looking to gain access to privileged information. It will not take much for them to plug these in and get access to precious data.

This makes an automated process for password and documentation management incredibly important. Users, whether they believe it or not want to hand over more of their responsibility to machines which in the case of credentials, makes for a more secure method of password management.

Everyone is working from home as standard. How has this affected password security?

At a time where almost everyone is working remotely, passwords are now more vulnerable than ever. In the comfort of their homes many users may not feel like they need to be as strict with their credentials, because at home there is a level of informality and comfort.

Yet businesses need to be aware that during this time, the risk of breach is actually higher. It only takes one unsecured device and a user with a lazy approach to password management to compromise an entire community. In a volatile market, this could mean game over for many businesses that can’t afford to reclaim their data.

This calls for a zero-trust model of protection where it is difficult to trust the user to comply with protecting themselves. We understand the importance of following the path of least resistance, and no matter how often people are reminded to use complex passwords, it’s natural to fall into bad habits. This is why we use self-service password reset to deliver a more secure, automated, and positive experience.

How does poor password security affect MSPs?

MSPs are in a unique position, having access to credentials for hundreds, and potentially thousands of customer systems—which makes them a very attractive target for the hacker community. All MSPs know that effective password management is a complex and time-consuming task, but also understand how crucial it is for reducing risk.

We are increasingly seeing MSPs being targeted by cyber-criminals in order to gain access to the data they hold, and while we would like to think that password breaches require a specialist skill, weak passwords make it all too easy for threat actors—and make MSPs vulnerable.

So, humans can’t be trusted, is the answer to automate more?

We’re constantly looking for new, innovative tools and applications to further automate processes, increase efficiency, and improve the end-user experience. We are now a team of more than 75 people, and with a strong focus on innovation and automation, we’re always looking for new and exciting technology which can show improved operational efficiency while delivering value to our clients.

Using a password tool that provides automation and security for our clients removes the risk of human error and provides protection on both ends. At a time where we’re all working from home, we can’t trust that people won’t let their guard down—adding automation into the mix is essential.

What’s Hot on Infosecurity Magazine?