Introduction
Passwords are the keys to our digital kingdom. They protect our online resources, internal network services, and cloud accounts.
Essentially they are one of the most critical security barriers for protecting our whole business and personal digital lives. Even a single compromised password could lead to a data breach that might lead to a malware infection, ransomware, or data theft.
According to estimates, even a single data breach could cost a company hundreds of thousands, millions, or even hundreds of millions of dollars and potentially bankrupt it.
In order to protect a business’s best interests, it’s important to ensure that accounts are protected with cybersecurity best practices to keep the hackers out.
Password Security In a Perfect World
In an ideal world, we would never have to share our account passwords with anyone. In fact, Public Key Authentication allows users to identify themselves without passwords.
Other technology solutions such as biometric fingerprint or facial recognition can also provide secure authentication.
In fact, many experts envision a future where passwords are gone altogether.
But the current reality is much different.
Research actually found that almost 70% of employees share passwords often!
In our interconnected business world, we are under pressure to innovate, and increase our competitive edge with new services and products and these business motivations force us to rely on each other.
We rely on external third-party partners and service providers to quickly apply their specialized skills to support our business needs.
We need experts who can quickly fix a website configuration error, give our site a modern new look, develop new features, help restore our systems from backup, or even remove malware from a compromised site.
In these cases, we are often required to give a third party access to our digital assets and accounts.
And many systems are not capable of advanced access control security such as creating and configuring additional accounts for a short-term collaboration. And so we must go into dangerous territory – password sharing!
Let’s take a closer look at this unsafe practice and learn some cybersecurity principles and best practices that can help us collaborate more securely along the way!
Hopefully, these security facts and tips can help you to grow your business more responsibly and securely while also still growing your competitive edge without taking too much risk.
First, we will look at some common password-sharing mistakes and then deep dive into some best practices for our own protection.
Password Sharing Mistakes We All Make
Everyone makes mistakes, but some password mistakes can lead to serious consequences, like a compromised account or a cyber attack.
Here are some common password mistakes to avoid:
Reusing passwords
Using the same password for multiple accounts increases the risk of a security breach. If one account is compromised, all of your accounts are at risk because the attacker knows all your passwords.
One of the first things an attacker is likely to do with stolen credentials such as a username and password is to see if it works with other online accounts.
Never reuse your password between accounts!
Using weak passwords
Weak passwords, such as “password123” or “qwertyqwerty”, are easily cracked by attackers using common password wordlists and dictionary attacks.
Use strong, unique passwords for each of your accounts and enable MFA on accounts that have access to sensitive information or processes such as online bank accounts.
Writing down passwords
Writing down passwords can be a security risk. Even if you don’t leave them in an easily accessible place, someone may gain access to them if you lose your wallet or backpack, and if someone sees that you keep your password written down, they could try to steal it.
Using public Wi-Fi
Connecting to public Wi-Fi networks can put your passwords at risk, as these networks are often unsecured and can be easily compromised by attackers and anyone on the same network can see which websites you are visiting because the DNS protocol is not encrypted.
If you absolutely must connect to a public wireless network or a wifi network such as a hotel network, it’s highly recommended to use a VPN to add an extra layer of encryption for your data and prevent potential snoops from seeing which websites you are visiting.
Not using multi-factor authentication (MFA)
MFA adds an extra layer of security to your accounts by requiring a password and an additional form of authentication, such as a fingerprint or a one-time code sent to you via SMS phone.
MFA is absolutely fundamental security because passwords can be stolen in so many ways, but with MFA turned on, it won’t be useful to the attacker.
By avoiding these common password mistakes, you’ll be able to keep your accounts secure and protect yourself from potential cyber-attacks. Remember, a strong password is your first line of defense against cyber threats as we are trying to build best practices here.
Password Sharing Best Practices
Password sharing is necessary in some cases and common practice in many organizations. However, but it can also be a security risk if not done properly.
In order to improve our organization’s cybersecurity and reduce the risk of a successful cyber attack against your company, you absolutely should develop a good knowledge of the potential risks in order to prevent password sharing from being a serious headache.
Here are some best practices for sharing passwords in a secure manner.
Use a password manager
Using a password manager can help ensure that passwords are stored securely and can be easily shared among team members without the need to write them down or send them via email.
Also, instead of trying to remember countless unique passwords, a password manager securely stores all of your passwords for you and provides them when you need them, conveniently to copy and paste where you need them.
Password managers also allow you to make your passwords super complex so they are impossible to brute-force. Make sure you pick the right password manager for your needs. For example, pick the best Huawei password manager if you own Huawei devices.
Any way you look at it, password managers are one of your best weapons in the war against account takeover!
Use the principle of least privilege when configuring shared accounts
The “Principle of Least Privilege” (POLP) is a fundamental cybersecurity concept and best practice.
Here’s how it works: Instead of giving everyone access to everything, you only give access to what they actually need to complete their task.
The POLP effectively limits what an attacker can do with a stolen password or account access and has a big impact on security.
Here are some examples of how you can use POLP:
- If you are sharing access to your WordPress website for a new person to contribute content to your site, you should not provide an administrator account because it allows the user to make fundamental security changes to the site. Instead, you can create an author account for them, which only gives them permission to create new posts on your blog, not to install new plugins, create new users, or access the database.
- If you are sharing FTP or other file-sharing access, you can limit what folders you are giving the user access to. You should only give access to the files and folders that the user needs for their job. You can also specify other access control rules such as only giving read permissions when the user does not need to create or edit files.
Use multi-factor authentication (MFA)
Multi-factor authentication adds an extra layer of security by requiring users to provide additional forms of verification, such as a one-time-passcode (OTP) from an authenticator app on their mobile device, SMS delivered code, or a fingerprint scan, in addition to their password.
But how does MFA protect you when sharing passwords?
This security precaution can ensure that an account is safe, even if the person you have shared the password with does not secure it properly.
For example, they may have a key-logger on their computer that can pick off the password as they type it, or perhaps they might insecurely write it down and have it stolen. MFA ensures that if the password is compromised by an attacker, they are still locked out of the account.
Monitor access to the shared account
Monitoring account activity is a smart way to keep your local and cloud systems safe when collaborating on a project with others. Monitoring can give you an early clue that a service is being abused or being used for malicious activity. Also, when sharing an account between multiple people, it can be much more difficult to determine who has made changes to settings or performed certain actions in the account. This principle is known as “non-repudiation”.
Non-repudiation means that someone cannot deny doing something. However, when multiple people use the same account, non-repudiation is very difficult to establish. So, it’s highly recommended to create a new account for each person instead whenever possible.
Examples of accounts that can be monitored include:
- WordPress CMS accounts: WordPress can be configured to notify administrators each time a user logs in. This gives you the ability to compare the login records to each individual person’s expected working hours and potentially identify when an account is being abused by a hacker.
- Google Cloud accounts: Google Cloud accounts also give you an incredible amount of monitoring and alerting ability as a cloud service administrator, Google Cloud allows admins to monitor the account activity such as login and access times, as well as set up automatic alerts and billing limits.
Use secure communication methods
There are some reasons you may not decide to use a password manager to share passwords with other people. Maybe the person you are collaborating with does not have access to the same password manager. In these cases, it may be easier to share the credentials directly.
Some messaging apps provide end-to-end encryption thus providing fairly strong protection against unauthorized access by anyone except the sender and recipient.
However, if the attacker has access to your business partner’s device, the password may still be stolen. In these cases, MFA provides additional protection.
Another way to secure information before you send it is by encrypting the file before you send it. ZIP files can be easily password-protected using many free and trustworthy commercial applications.
So if you are transferring account credentials or other sensitive information via email or USB key, ZIP can provide an extra layer of security. That way if the recipient’s email account is accessed remotely by a cyber attacker, or the USB key is stolen, the sensitive information such as passwords is still safe.
Provide user awareness training
It is important to make sure that everyone in your organization understands the importance of password security and knows the correct procedures for transferring sensitive information such as passwords.
User awareness training helps to educate staff about IT security best practices and company policies. These provide a clear explanation why we need to create and use strong, unique passwords and share them using secure methods.
It also can help to establish standard procedures so that employees know the approved method. Overall, having a more educated staff that is able to follow reliable security processes is a good way to protect your business operations.
Keep regular backups of things you share access to
What’s the worst thing that could happen right?
Well, one of the worst things that could happen is that all your information is deleted or made unavailable by ransomware. Do you want to pay a million-dollar bill to get your files back? I didn’t think so. But how could this happen with a shared password?
What if the person you have shared the password with has a compromised device with malware on it? Well, for starters, the account you just shared access with could be stolen and in the hands of an attacker.
If that attacker gains access they may be able to encrypt all your files and leave you a nice little note demanding you send a whole lot of Bitcoins to get them back. In a situation like that, your one savior could be a complete and reliable backup. Also, if your website source code were infected with malware you could restore a good version from your backups.
Reset shared passwords and delete temporary accounts after the project is completed
A recent report showed that 25% of employees say they can still access accounts from their previous jobs. Known as “system sprawl”, “account sprawl”, or just “sprawl” this is a well-known and documented vulnerability in IT security that has been proven to lead to cyber-attacks and compromise.
Once a project has been completed, it is critically important to reset shared passwords and clean up any shared or temporary accounts that were used during the collaboration.
This effectively prevents the accounts from being accessed at a later time by a malicious business partner or service provider, or if the passwords are stolen later.
Even if an attacker doesn’t know the password for the unused account, it is still another attack surface they can try to brute-force. Even in the case when an account does not provide administrative access, it may still have personal information stored within them, and leaving this information accessible can be a violation of privacy.
Conclusion
So there you have it. We just covered a fairly comprehensive perspective about sharing passwords, the most common mistakes made when sharing access to online accounts, and some best practices for making the process more secure.
Hopefully, following these best practices you can ensure that your cybersecurity is strong and avoid the potentially disastrous impact of a cyber-breach. It’s also a good idea to remember that keeping cybersecurity hygiene is an ongoing process.
So, it’s good to regularly review your company and personal processes and update your security protocols as the digital world changes.