Password Protections

Christopher Eaton | June 13th, 2023

The most foundational aspect of protecting yourself and your business from the devastating impact of a data breach is maintaining best practices regarding account password hygiene and layered password protection. This remains true even if the password manager you use is impacted by a security incident.

Importance of Layered Password Protection

Rightfully, there is a lot of concern about the efficacy of password vault and manager services given the recent LastPass network breaches. In August 2022, the company published a notice that some of the company’s technical information and source code were taken by threat actors. At the time, no customer data was found to be accessed; it was a ‘point-in-time’ incident.

Then in November, the company once again confirmed a breach, only this time credentials stolen in the August incident were used to move laterally throughout the system and access customer information, including encrypted password vaults and personal identifiable information (PII). Just last week, another revelation emerged: a company developer had their own corporate vault breached from which a threat actor obtained decryption keys.

A company many depend on to enhance their operational security, unfortunately, let them down.

Following multiple breaches in a few months, it is understandable why users would be uncomfortable continuing with this specific service and perhaps any password vault; however, by layering other best password protection practices on top of a password vault and manager you need not sacrifice security.

Nonetheless, it is still wise to update your password and reinstate a cadence of credential change, regardless of whether the company suggested such action, as it is best practice for password protection.

To encourage peace of mind, the master password still hides behind encryption in what is known as a ‘zero-knowledge’ system, and if all passwords are updated regularly, there is no major cause for concern. The ability to use randomly generated, strong passwords unique to each account are additional mitigation measure for password protection in the event of a breach.

Password managers are designed to centralize all login and password credentials across every account, whether personal or work-related. The average worker utilizes around 100 passwords, according to NordPass (one of many quality tools), for social media to HR accounts; without a management system, they are nearly impossible to keep organized. All details are stored within an encrypted vault, requiring a single primary password that is not typically stored anywhere but in the user’s brain. Needing to remember only one “master” password should reduce concerns of identity theft or data breach, which are extremely rare when using these password protection tools.

For businesses, a password manager should be considered an essential purchase for password protection. There are two system types: cloud-based and locally managed. The difference between the two is in where your information is stored. A local manager maintains the database on your specific device, while a cloud-based solution maintains no copy on your device. If you prefer full management, local storage is best, though if your system access is lost, so are your credentials. Cloud storage can be used across all your devices, but without internet access, you will be out of luck. Ultimately, the best choice comes down to personal preference, with each having its own advantages and disadvantages. Ensure you have access to the most needed features at a price you can afford.

The primary reason either password protection solution can work is that they both contribute one important layer of proper account hygiene. I recommend a password vault as company policy and then applying some key features: utilize the random password creation setting with every account; create passwords with a minimum of 12 characters, mixing numbers, letters, and symbols; and set reminders to update stored passwords every three months at a minimum. The longer a password is used, the greater the likelihood of it being involved in a breach and, therefore, in the hands of a threat actor seeking to enhance damage against your business.

Furthermore, account best practices include enforcing multi-factor authentication (MFA) enterprise-wide for all systems and applications that support its implementation: this is becoming a nearly universal compliance requirement anyway. The one solution is itself layered, requiring something you know (i.e., password, PIN), something you have (i.e., smartphone, laptop), and something you are (i.e., fingerprint, facial recognition).

The final best password protection practice to employ regarding your business accounts is regular threat intelligence assessments or audits regarding critical systems usage, like a password vault, to ensure standards of security and remediate any potential vulnerabilities.

If the implementation of a password manager—any security tool or system, for that matter—requires more technical knowledge, you can always reach out to a cybersecurity provider adept with such technology to set up a training session.

The fact of the matter is no single toolset is a panacea, including password managers and vaults. Fortunately, by layering best usage practices, you and your business can drastically enhance your cybersecurity posture


Connect With Us

Featured Articles

DNS Tunneling
DNS Tunneling: New Tactic To Scan Networks and Track Victims
10 June 2024
Mastermind Behind LockBit Ransomware
Mastermind Behind LockBit Ransomware Unveiled and Charged
07 June 2024
Unchecked User Privileges
Unchecked User Privileges: How to Counter
03 June 2024
Cloud Migration
Cloud Migration Impact on Network Security
28 May 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.