In today's digitalised operations, businesses heavily depend on various online functionalities. Most, if not all, of these functionalities are password-protected. While passwords are crucial for securing digital assets, the sheer number of passwords individuals or businesses must manage can pose overwhelming challenges. Effectively managing these login credentials is vital for maintaining security and operational efficiency. To streamline the management of account passwords, a password manager is recommended —an approach consistent with the advice outlined in the Australian Cyber Security Centre's Information Security Manual (ACSC ISM).
The Importance of Using Unique Passwords
Most businesses secure crucial assets such as bank accounts, administration portals, and communication tools with passwords. Using a unique password for each account is essential from a cybersecurity standpoint, especially for small businesses. This practice, password diversification, is a fundamental element of online security. If you use the same password across multiple accounts and one of them is compromised, there exists the risk for the attacker to gain access to all associated accounts. This scenario could trigger a domino effect, jeopardising your entire online presence and, consequently, your whole business.
Quoting LastPass 2021, over 80% of account breaches were related to stolen, weak, or reused passwords. For small businesses, the repercussions could be severe, including the loss of sensitive business data, financial information, or customer details. Such breaches can damage the business's reputation and result in significant financial losses. Therefore, adopting a unique password for each account is a simple yet effective step to bolster your business's online security and shield it from potential cyber threats.
Here's a guide to enhancing the adoption and implementation of robust password practices:
- Leverage a unique password generator to create a distinct password for each account. This is an inbuilt feature for most password managers.
- Create passwords that are at least 12 characters long and include a combination of letters, numbers, and special characters.
- Avoid incorporating personally identifiable information in your passwords, such as birthdays or names.
- Steer clear of reusing passwords across accounts. Tools like the LastPass Security Dashboard can assist you in managing this by alerting you of weak or reused passwords between your accounts.
- Refrain from easily recognisable patterns, such as 'abc123', 'qwerty', or 'abcdefg'.
- Share passwords exclusively through your manager's secure password-sharing features. Avoid sharing in plain text via email or text messages.
- Change your passwords periodically, ideally every three months.
What is a Password Manager?
As it sounds, a password manager is an extensive digital box that stores, generates, and manages your passwords. Popular password managers include LastPass, 1Password, Nordpass, and Bitwarden. For small businesses, password managers provide a practical solution for maintaining robust security practices. They allow businesses to enforce strong password policies, share credentials securely among team members, and manage who has access to specific accounts. This is particularly beneficial for small businesses that may need more resources for managing security, as it allows them to employ security practices with minimal effort and cost.
How Does a Password Manager Secure My Data?
A password manager securely stores your passwords in an encrypted, protected 'vault'. This encryption process transforms your data into an unreadable format that can only be decrypted with a specific key, usually derived from your master password. In some cases, biometric authentication methods such as fingerprint or facial recognition may also be used. The versatility of password managers is demonstrated in their various modes of operation. They can be locally installed on individual devices, accessed online via the web, or as a centralised hub for single sign-on functionality. This approach ensures the security of your passwords and enhances the user experience by providing secure and convenient access across different platforms and services.
Locally Installed Password Managers:
These desktop-based or offline options provide a secure way to store and encrypt passwords on a specific device, such as a computer or smartphone. Users authenticate themselves using a master password to access their data. While this method offers a high level of security, it does come with the risk of losing all data if the device is lost or damaged. Therefore, users must consider the trade-off between the convenience of local storage and the potential risks associated with device-related issues.
Web-Based Password Managers:
These managers utilise cloud storage, enabling users to store and sync their passwords across multiple devices via the internet. The data is encrypted on the user's device before being sent to the cloud servers, ensuring a secure transfer. This method improves accessibility, allowing users to seamlessly manage their passwords from different devices. However, users should also consider the security measures of the cloud service provider and potential online storage vulnerabilities, although strong encryption practices by managers do help alleviate these concerns.
Single Sign-On (SSO) Password Managers:
These managers enhance the user experience by allowing access to various web services and applications using a single, secure password. This is especially useful in workplace settings, where SSO eliminates the need for employees to manage and share multiple passwords, simplifying the authentication process. SSO works by passing tokens to the respective sites or applications for authentication, reducing the need for multiple passwords and improving overall security. This method increases efficiency and reduces the risk of password-related security issues within organisations, making it an appealing solution for businesses seeking enhanced security and user convenience.
Key Features of Password Managers
Password Generation: Password managers are a great tool to implement password diversification for businesses. They can alleviate password fatigue, and offer features that facilitate unique, random password generation. This feature is handy in today's digital age, where the average internet user has numerous online accounts, making it nearly impossible to remember unique passwords for each one.
Browser Plug-ins: Many password managers have browser plug-ins that pre-fill credentials, easing the process of remembering and typing account details.
Automated Credential Changes and Breach Monitoring: Several password managers offer automatic credential changes and breach monitoring, reducing administrative and security overhead.
Multi-Factor Authentication (MFA): Many password managers support MFA, providing additional security for your accounts.
Secure Password Sharing: Password managers often include the ability to securely share passwords and login information with authorised team members, enhancing collaborative work while maintaining security.
Cross-Platform Compatibility: Password managers are typically compatible with various operating systems, browsers, and devices. This ensures that your login credentials are accessible and synchronised across all platforms.
Audit Trail: Password managers often maintain an audit trail, tracking and logging changes made within the manager. This feature is valuable for monitoring password modifications, user access and security incidents.
Secure Document Storage: Beyond passwords, many managers can securely store sensitive documents and notes, providing a centralised repository for business data.
Compliance and Reporting: Password managers can assist with regulatory compliance by generating reports on password security practices and user activity, simplifying compliance audits for your business.
Password Complexity and Rotation: The managers often include features that automatically generate complex passwords to meet your account requirements. They can also facilitate regular password rotations, reducing the risk of prolonged use of the same credentials.
Time Efficiency: With a password manager, the time spent on password-related tasks is significantly reduced. Automated logins and password changes streamline processes, allowing employees to focus on more productive aspects of their work.
Phishing Protection: Password managers can help mitigate the risk of falling victim to phishing attacks. Automatic-filling login credentials only on legitimate websites prevents users from inadvertently entering sensitive information on malicious pages.
Centralised Management: Password managers provide a centralised platform for managing all login credentials. This simplifies administration, ensuring access permissions are efficiently assigned and revoked when needed.
Employee Onboarding and Offboarding: Facilitating the onboarding and offboarding processes becomes more efficient with password managers. Granting new employees access to necessary accounts and revoking access for departing employees is streamlined and secure.
Encrypted Data Storage: Many password manager services take pride in implementing robust encryption techniques, thereby ensuring the protection of your passwords and sensitive data.
Mobile Security: Many password managers offer secure mobile applications, extending the same level of protection to accounts accessed on smartphones and tablets.
While a password manager enhances business and password security, it is essential to acknowledge the inherent risk. Recent incidents like the one listed below serve as a reminder of potential vulnerabilities and that no solution is entirely risk-free.
Norton LifeLock (2023): In the middle of January, Norton LifeLock sent data breach warnings to over 6,000 of its customers, informing them that their accounts had been compromised. The attackers performed credential stuffing, meaning they were trying to enter accounts with usernames and passwords they had acquired elsewhere.
While such incidents are concerning, many password managers take immediate steps to rectify the situation and enhance their security measures. Using two-factor authentication and regularly updating your passwords for added security is always recommended.
In summary, a password manager is valuable for improving business and personal security. As a business owner, it is an easy, affordable, and efficient first step in managing and enhancing your online security.