I meet with city administrators and business owners to learn how they use their computer systems to perform their job functions. Part of this interview process involves running a security pentest to help identify areas of weakness and cyber risk in their operations. One of the most common and dangerous issues that come up nearly 100% of the time is how passwords are stored and reused.    

For example, scans in a hospital environment revealed that 258 accounts all used the SAME password in one situation. Most of these passwords were used by top administrators across different accounts. I've also visited local government offices and found nearly the same problem. The issue is that without a good system in place, we are left to use similar (if not the same) passwords across all websites we visit. After all, most people are creatures of habit. The problem with reusing passwords is that if one of your passwords gets compromised or leaked (which can happen through no fault of your own, think of all the breaches that make the news), then every other site that you sign into with that same password or a slight variation isn't safe. What's worse is when this same password is used for E-mail, and your E-mail account isn't protected with MFA/2FA (multi-factor authentication). If your E-mail gets compromised, it's easy for a hacker to impersonate you, learn your behavior, identify which sites you go to, and even reset your passwords to most of your online accounts.  

Many people create random passwords and then save them in their web browser to solve this issue, like Google Chrome. This is better, right? To an extent, yes, since at least the passwords are unique and complex, which reduces one of the risks (password reuse). However, the encryption used in web browsers to store passwords is weak. When we run our audits in client environments, we can extract these passwords quickly with little effort, breaking encryption in seconds. If a hacker were to gain access to a computer with many passwords saved in the browser, it wouldn't take them long to access all of them and start using them against you.  

So, how do you solve this problem that plagues nearly every business person I come across (myself included until a few years ago). Here are the steps we recommend:  

  1. Use a 3rd party, secure, web-based, encrypted password vault, including MFA protection. These tools help auto-generate random passwords too. We provide this for our clients, so ask us if you need help with this.  
  1. Get all your passwords out of web browsers, excel files, file sharing apps, etc.  
  1. Review your current passwords and see if they are random and strong (longer than 12 characters or so and use numbers, letters, and special characters – they should be random if possible).  
  1. Enable Multi-factor authentication on as many sites as you can. This is especially critical with E-mail. If your mail provider doesn't support MFA, you should migrate to a platform that does, IMMEDIATELY. We recommend Microsoft 365 for various reasons, but this is just one of them.  

Don't neglect this time-consuming but essential step in protecting your digital profiles and assets. I know this is a pain to implement, especially to do it properly, but consider the alternative – you are leaving your car door unlocked, windows down, keys in the ignition, with your wallet on the dashboard. Don't do it. At least make the criminals work for it. Please reach out if you would like me to review how this is handled in your organization and to help you solve this critical issue.   

You can learn more at www.cwitsupport.com.