Passwords have been the last line of defence for digital accounts and applications for some time, but recent password manager breaches indicate that even this long-trusted method of securing accounts is vulnerable.
With user credentials selling at a premium on the dark web, dedicated hackers are scouring systems worldwide to find unpatched and insecure systems that give them access to user names and passwords.
“Even the most complicated passwords, and passwords generated and stored in a ‘vault’ in the cloud, have the potential to be hacked or cracked,” warns Doros Hadjizenonos, regional director for southern Africa at Fortinet. “In short, passwords alone are not enough to protect critical systems and data.”
However, passwords do have a role to play in cyber security, but only as part of a broader, multi-layered and Zero Trust approach to security, he says.
Securing passwords
Passwords generated by users can be hacked within minutes – or even seconds – if they are under eight characters and designed for the user to remember easily. Using Brute Force attacks and credential stuffing, hackers take advantage of weak passwords to access accounts and systems.
Cloud-based password managers are convenient online ‘vaults’ where users can generate complex, random passwords and store their usernames and passwords for online banking, email and social media accounts. These are generally encrypted for added security, and are almost impossible to crack. However, increasingly sophisticated hacking and decryption tools mean no system is 100% bullet proof.
Hadjizenonos says cloud-based password managers are attractive targets for hackers, given the large amount of sensitive information they hold.
When using a password manager, it is important to choose a strong master password that no one will be able to guess, says Hadjizenonos. “This master password is the key to unlocking your vault; it’s not stored or maintained by the password manager.”
He warns that users should never reuse the master password for any other app or site.
He notes that free browser-based password managers are typically not as secure as other options. They are often not encrypted, and because users tend to stay logged in to them, they can be compromised if a device is stolen.
For the most sensitive accounts, users should add an extra layer of security with multi-factor authentication. “This means every time you log in to your accounts, a temporary code must be entered. These codes can be sent via text message, email or generated by authenticator apps,” Hadjizenonos says.
Zero Trust
Today, users need access to all their applications, regardless of where the application or user is located. But users are also described as the weakest link in organisational security, particularly in hybrid and remote working environments.
“To adapt to the shifts in the workforce and threat landscape, organisations need consistent converged networking and security that is available both on-premises and in the cloud”, says Hadjizenonos.
To reduce risk, Fortinet recommends adopting a Zero Trust security model, with Multi-Factor Authentication (MFA) and Universal Zero Trust Network Access (ZTNA) – two of the most useful technologies organisations can adopt to start integrating Zero Trust principles.
“ZTNA needs to be everywhere, and everything needs to be secured with consistent policies and controls across all operating environments, whether on-premises or in the cloud,” he adds.
The Zero Trust security model assumes that anything or anyone trying to connect to your network is a potential threat, so every user must be verified before permission is granted access to critical resources. Ideally, access should be granted based on the user, the device they are using, their location, and their permissions to access a particular system or data too.