Password Management Tips
In light of recent high-profile security breaches, here are some helpful tips and advice on how to best utilize password managers and SSO systems.
Recent breaches at LastPass have brought the use of a password manager into question. Is it still a safe, secure way to manage your accounts? Is a Single-Sign-On (SSO) system more effective?
Web-based systems and applications are exponentially growing in today’s technology-driven environment. On a daily basis, we access anywhere from 8-15 systems or applications on average.
The safest and most secure method of accessing these programs is by utilizing different login credentials for each system. This practice limits the likelihood a hacker could steal a single credential combination and manage to break into every single application you use.
So what are the potential pitfalls to be aware of for both password managers and SSO systems?
Many organizations use SSO to minimize the number of logins a user must remember. If your organization uses SSO, but you still use a system with an individual username/password, you should contact IT and see if the application is able to migrate to the SSO platform in use.
The potential downside? Even with SSO, a hacker can access your master credential combination and push multi-factor authentication to your phone to authorize the fraudulent session. An unsuspecting user may authorize out of habit or general lack of attention or awareness during a busy day.
Encrypted password manager vaults, even when exposed, can be difficult to crack. Password managers, like LastPass, may fall victim to data breaches, but unless the encryption key that keeps your credential combinations secure is discovered, your systems are still safely locked and you can change your master-level manager password to once again keep your vault from prying eyes.
Tips to remember to keep your credential combinations as safe as possible:
NOTE: When utilizing this method, do not remove the first or last two characters. To increase difficulty, remove a certain number of characters from within the interior of the password string or phrase.
As always, if you believe one of your passwords has been compromised, notify your IT department and change login credentials accordingly.
Running simulated phishing tests will determine your employees' susceptibility to social engineering and phishing scams. Train your employees and help them identify spear phishing and ransomware attacks.