Posted by Justin Cohen
Hackers have compiled a database of over 2.2 billion records of our login credentials (i.e., usernames/email addresses and passwords) by cobbling together records taken from dozens of data breaches. And they are sharing these stolen credentials through various websites. Out of curiosity, I used the Hasso-Plattner Institut’s online tool to see whether my personal and work email addresses were included in the leaked databases. Guess what? They both were. I then used the “have i been pwned?” password search tool to see if one of my old passwords was exposed. Unsurprisingly, it was. If you have employees who have created online accounts with Facebook, Marriott, eBay, LinkedIn, Yahoo!, Orbitz, Quora, Reddit, or any number of other websites or systems, it’s likely that your employees’ credentials have also been exposed.
The problem we have today is that many people use the same or similar credentials (e.g., email address and password) for their personal websites as they do to log in to their company’s enterprise accounts. While your company’s systems may not have been breached, it is likely that at least some of your employees’ credentials have been. So even if your organization has complex password requirements—and requires users to change those complex passwords often—those requirements don’t prevent hackers from finding users’ credentials on other sites, or using those passwords to guess the password for a user’s enterprise account (since many only use slight variations).
To address this problem, Google has launched a new extension to its Chrome browser to tell you if your password has been exposed. But for many, that may not be enough to address the risk of exposed credentials.
It may be time to start encouraging employees to utilize a password management tool, like Keeper, LastPass, or 1Password. These tools store credentials for various websites, apps, and portals so users don’t have to memorize each one (or, as some unfortunately do, store credentials in documents or spreadsheets). A user of these tools creates one complex passphrase, which gives them access to an encrypted database of their stored credentials. These tools can also test your password strength, and give you a score on your password security. For example, LastPass will give you a lower overall score if you’re using the same or similar password across multiple websites.
For many of us who have used and re-used the same or similar passwords over dozens of websites for years, it may be time to allow the password manager both to create new complex passwords and to store all of those credentials. Many of these tools also allow users to share credentials, and allow emergency access to one’s “vault” of credentials. These features are useful for employees that may need to share access to third-party websites for work. The tools enable users to share credentials with other employees in a more secure manner than email or notes. Plus, once shared, if one user changes the password, the tools enable the updated password to be shared automatically. Some also offer “emergency access” to a user’s vault of credentials, which may help avoid business interruption if an employee becomes ill or leaves the company without providing all of their credentials to work-related websites.
Encouraging your employees to use distinct, complex passwords for each personal website, enterprise system, and work-related website can significantly reduce the risk to your organization posed by these exposed passwords. A password management tool can help your organization promote that type of behavior. And if none of those reasons is particularly persuasive, perhaps you may want to read about what happened when the only person with the password to a company’s Bitcoin wallet worth over $190 million died.