Passwords are dead!...or are they? And if they’re still around, what's the best way to manage them across an organization to ensure employees and customers are creating strong passwords to secure sensitive business information properly?
The latest Wizer Back to Basics webinar partnership with SideChannel led by Brian Haugli covered these issues and more around best practices for managing passwords for small business and enterprises alike.
You can watch the entire 1-hour webinar above or read the short write-up below if you don’t have time to watch the whole recording.
Getting beyond the password and username
If we’re talking about basics, then it’s become standard acceptance that a simple username and password isn’t enough these days. There are too many issues that leave these vulnerable, much of it due to simple human behavior plus the fact we simply don’t have the capacity to memorize the quantity of passwords used in a given day that have the complexity required to stay secure.
“So the first thing that I wanted to highlight is when we're talking about all of these solutions, there's not a one size fits all solution for MFA, single sign on (SSO) identity access management, password managers. Every organization's a little bit different and figuring out the right balance is important.
When I go into organizations, I would say at least 75% of the time, it's really eye opening to see that there are common trends. People throughout the organization from executive leadership down to IT, [there are] admins that are still using those same one, two, three passwords across all of their logins.
“I've seen people with their passwords written on their computer screen and the post-it notes under the keyboard.” - Joe Klein
As such, Joe recommends the use of multi-factor authentication, or MFA, as one of the very first basics that organizations need to strengthen the attack surface. As Brian Haugli states “There're lots of ways to implement MFA. It’s like table steaks now - it’s not ‘should you’ adopt this, you need to adopt this. Regulations are calling for it. Your customers are asking about it.”
However, implementing MFA or other types of controls must be done in a way that is as frictionless as possible for the users while adding additional layers of friction for the threat actors. If there’s too much friction for the users then they’ll just find a way around it or just revolt altogether.
But people are human and the trends today with the sticky notes on the monitor is decades old which has led to the emergence of password managers, but is it enough to remove the friction to the user while raising the bar for attackers?
MFA Pros and Cons
Before considering which MFA is the best solution for your organization, step back and what platforms you’re already using what is supported in regards to MFA. From least effective to most, MFA options include:
- Secret keys - basically a second password that is usually akin to mother’s maiden name or where’d you graduate high school. Answers to these are typically easily obtainable through OSINT or social engineering.
- SMS - while commonly used as everyone has a mobile, SIM swapping is a persistent threat and NIST no longer recommends SMS as a second authentication
- Authenticator Apps - Most cost effective and utilizes a mobile which, again, everyone has, however, there is a learning curve to get users to adopt it
- Hardware keys - most secure and becoming more affordable but can still add up for large enterprises
In general, authenticator apps are a good minimum standard and after evaluating what your risk tolerance is, then you can go to stronger methods from there.
Tip for cryptocurrency from Christophe! “Particularly in the crypto space, it is recommended for users to utilize a hardware token or a hardware wallet to keep your keys due to the size and quantity that some people keep in cryptocurrency. SIM swapping has been a huge target for threat actors taking over someone's account. If you're using an SMS as the way to have secondary authentication to those crypto accounts…the minimum would be via an authenticator app.”
Managing access via password managers
Access management can begin with passwords even for the most shoe-string budget and many password managers are suitable for a variety of business needs, however, custom applications can also be created for those with legacy tools.
There are two main types of password managers: third party and browser based.
While they have improved on security, browser password managers are known to be wanting in terms of security overall and their use is restricted to a particular browser. Third party solutions, however, are “laser-focused on building out a secure password enclave” and typically are available across devices and irrespective of browser preferences.
For many businesses password managers are being deployed just for the senior executive teams while for others it’s enabled across whole organizations.
Do password managers reduce friction for users?
According to Joe Klein “It depends. In order to really embrace a password manager, you have to understand how it works and you have to spend some time, like for any good technology, educating your user base on it.”
Joe also noted it’s important when implementing a password manager to ensure users are not just utilizing the manager to store their same, non-secure and re-used passwords just so they can autofill them on websites.
It’s important that when educating users you help them truly understand how the technology works so that they embrace the tech and commit to using it properly.
Chris noted in addition to the above, another advantage to third party password managers is that some offer both work and family plans encouraging users to maintain the habit in their personal lives as well. “If they get used to using this in their personal life, then they can bring those habits to home. So promoting awareness of it in their personal life will help gain traction at work,” he commented.
Advantages to third-party password managers:
- Focused attention on security
- More upfront about vulnerabilities and addressing them
- Checked by pentesters to secure holes
- Family plans in addition to organizational plans to encourage more consistent usage
- More widely available across devices and browsers
- Alerts when emails have been compromised
- Some Corporate plans allow for setting minimum policy requirements
- Some third party vendors provide corporate private vaults that separates from personal use
Tips for evaluating a password manager vendor:
- Does it give admin visibility into the maturity of the users?
- Can the admin see how many passwords a user has?
- Does it indicate weak passwords, reused passwords, etc?
- How does the company work with Security Researchers?
- What type of encryption is the vendor using?
- Does the vendor hold the main key to the password vault or does the company Admin?
- Does the vendor have SOC2 and ISO 27001 certifications?
- Is a corporate private vault a feature your company needs?
It’s important to help users overcome resistance to utilize password managers as part of regular business operations. Connecting users to personal applications for security helps build bridges as illustrated by Brian, “You're probably, you're definitely doing this for your bank. Why would you treat the security of your own company? The one that you and your brand are associated with that produces your livelihood. Why would you treat this any less? And that kind of thinking gets people to go, oh, I am doing. In my personal life already, it really isn't that difficult.”
Single Sign On in an Organization
Single sign on is an easy way to remove friction and when combined with an additional layer such as a hardware token it provides stronger security in the corporate environment.
Typically, SSO alone can be a good form of authentication in itself for the regular instances. When access is needed for a critical system, then coupling the SSO with a reauth using a hardware token is a good approach for providing a frictionless experience while segmenting critical and non-critical environments.
SSO Pros and Cons
- Pro - Reduces friction for users
- Con - Takes effort to set up and maintain
- Pro - Becoming more commonly used in businesses with 300+ employees
- Pro - Reduces need for a password manager
- Pro - Easier to lock down a user in one central system
- Pro - More cloud providers are adding SSO as an option
“It's very, very rare that you find a security technology that not only strengthens an organization security posture, but also makes it easier for companies to use. Single sign-on and identity access management is certainly one of those I love to talk about.” - Joe Klein
Tip from Joe! “Before you start integrating SSO technologies, think about all of your requirements. What are the systems that you want to connect? What are the other capabilities that you want within your identity access management and single sign on solution? Some vendors do a better job than others in integrating various systems and provisioning users, provisioning accounts as well.”
Tip for Startups from Brian! Adopt single sign-on now because it's going to allow you to scale better. And, and you're going to be training your customer and your employees from a very early day that this is the way it is.
Additionally, you now know the types of solutions that you can use with the ones that integrate with this. So that works great for startups.”
Identity Access Management
As understood from the idea of logging into an identity provider securely with a user ID with some type of second factor, implementing identity access management first begins with understanding your requirements upfront.
- Are you connecting just to cloud resources?
- Are you connecting to internal resources?
- What's your user population?
- Is it the internal organization or is it also your customers?
- What are your service accounts?
- How do you plan to roll it out - all at once or gradually?
- Do you have executive support as it will create an organizational cultural change?
It’s also valuable to:
- Include the helpdesk in the rollout
- Educate the administrators in how to support the tool
- Educating your user population utilizing a communication campaign with awareness material of what's coming, why it's needed and why it's a good thing for the organization and the user
Resources from our panelists
Brian Haugli - Host, Managing Partner at Side Channel and Founder of RealCISO.io, Host of #CISOlife;