Improving Password Management

Posted by Mark Greisiger

A Q&A with Stewart Atkinson of Dashlane

Too often, data breach incidents can be traced to poorly managed passwords, underscoring the fact that humans are almost always the weak link. Yet with so many functions both in and outside the office requiring the use of usernames and passwords, maintaining proper password hygiene can be a challenge. I spoke to Stewart Atkinson of Dashlane (a password vault solution) about this risk exposure and how to ensure that preventable data loss isn’t an imminent threat to your company.

Many people still run the risk of using the same password over and over—if just one of the sites they use is hacked, then all it takes is for a hacker to try that password at other sites you use.

Why is password management important?

Whenever you sign up for an account of any kind you have to enter a username and a unique password with special characters—you might have 50, 60, 200 accounts and you’re not going to remember unique passwords for each of them. Many people still run the risk of using the same password over and over—if just one of the sites they use is hacked, then all it takes is for a hacker to try that password at other sites you use. This is especially problematic if people are using the same password across personal and business accounts, creating more risk for the business.

Just yesterday, I had an experience that shook me. I went to a new Whole Foods store in my neighborhood and there were employees standing by the escalators with iPads, helping people sign up for the 365 Rewards service. People were expected to type in their name and come up with a password on the spot. How would you remember that unique password, since it’s not on your device? And if you reused a password it’s now on an iPad that doesn’t belong to you, which anyone could access.

What are the top three most ineffective password practices?

  • Reusing the same password across sites. Something like 50 percent of people use five or fewer passwords for all of their internet accounts.
  • Forgetting a password. Waiting for an email and following the steps of that process wastes time.
  • Allowing other people to access your password. People do this all the time with things like HBO Go or Netflix. And even in many corporate settings, the IT administrators might share a network admin password. it’s a dangerous practice.

How are weak passwords used to exploit corporate systems and gain unauthorized access to sensitive info?

All a hacker needs to do is find an employee’s one password that’s used across several sites and that’s all they need to get into the door of a company. Smart companies have VPNs that require log-in before you can access the system. Yet there are other easily hacked systems, like Salesforce which are linked to a variety of systems and can wreak havoc if someone gains unauthorized access to an account.

How might such an exploit specifically impact a company?

A password-related exploit can lead to any number of data breach incidents from exposure to ransomware, resulting in the loss of sensitive data, financial loss, business interruption and depending on the size and scope of the incident, the loss of customer trust or regulatory action.

What can a company do to mitigate this risk exposure?

Password management is important, not just for security but also for convenience. Using a password manager (or password “vault”) can help people keep track of their dozens of hard-to-guess passwords in one place, in an application that can be used on all devices.

Dashlane is more secure than many managers because we don’t know the passwords—our security architecture only allows us to access the username. Business users get access to an admin console that allows you to add employees and shows analytics to give all users a security score. This will show if the password is weak or compromised. It also has features to safely share passwords and to revoke access to business passwords when employees leave the company.

In summary… 
Strengthen that old ‘Ou812’ password—everyone knows that song. We want to thank Mr. Atkinson for his thoughtful insights into this very common cyber risk issue.  To mitigate password mismanagement and to strengthen security safeguards, leveraging a password vault solution is a simple fix. At the same time, it’s amazing how many organizations, large and small, fail to implement them.