By Dinah Davis, Director of Engineering at Arctic Wolf.
If you are in IT security you have probably spent a significant amount of time securing your corporate networks and accounts. Have you also spent time training your staff on how to secure their personal accounts? Does it matter?
As a corporation, should you care about the security awareness of your employees? Have you considered the risk to your business of employees having weak passwords on their personal email and social media accounts?
Employees often check their personal email and social media accounts from corporate laptops. If an attacker can get a hold of a targets email account, they can have the key to access many other types of accounts. This is done by using the ‘forget my password’ requests on other accounts associated with that email. Often the password is reset by sending an email to the user. In this way, it is very easy for the attacker to reset the user’s passwords and take over many of their accounts.
Similarly, if the attacker compromises a social media account such as Facebook, Twitter, or Google, the attacker will now have access to all apps that use that account for authentication.
Strong passwords are important, but we know that users still aren’t using them. In 2016, per DARK Reading the most popular password used was 123456.
We have also recently seen a very slick phishing attack on google accounts that attempts to get the user’s login information. In this case, it doesn’t matter if you have a strong password or not.
Wait why should you care about this? What if they have used a personal email to access tools they use for your business? What if they reused their personal password for their corporate accounts? What if the attacker can gain access to the user’s corporate network through their personal accounts?
So, what can you do about it?
Start training your staff on how to secure their personal accounts. This should include password security, how to setup and multi-factor authentication for email and social media accounts, and how to spot a Phishing attack.
There are two main keys to having strong password security. First is that your password is strong and second is that you only use each password once. Most people have two or three passwords they re-use to make it easy to remember. However, if an attacker figures one out they have access to many other accounts. If those passwords are easy to figure out, then all the better.
Each password should contain Alpha, Numeric, and non-Alpha-Numeric characters. It should also contain a mix of upper and lower case characters and be at a minimum eight characters long. Dictionary terms with letters replaced by numbers should be avoided.
Tips for a strong password
- Using a long phrase converted into eight characters is an easy and effective way to generate a memorable password. For example: The quick brown fox jumps over the lazy dog. Could be converted to TqB4j0t!d which is quite a strong password and satisfies the above conditions.
- Take a book off your shelf and use a sentence from it. To remember the password just remember the book, page number, and paragraph.
- Use more than one language to create a password such as IL0veMyMom+MonPere.
Even better than using one of these tools, is to randomly generate a different password for each account you have. This can be done easily and effectively by using a password manager tool such as LastPass. LastPass can generate and store your passwords for you. You must have a strong master password that you can remember to keep your passwords secure.
We highly recommend using a tool like LastPass for your employees corporate and personal passwords. However, they should use separate accounts to store personal and corporate passwords. LastPass allows for a personal account to be linked into a corporate account. At first this sounds horrible, but it is nice. Employees can access their personal passwords from their corporate account, but cannot access the corporate passwords from their personal account.
You can limit where and on what devices the corporate LastPass account can be accessed from. One suggested practice would be to allow the corporate LastPass account to be access only from a corporate device. If an employee links their personal account to their corporate account they can use their personal account on their personal devices without compromising the corporate passwords of the company.
By using a password manager internally you are setting an example on how to maintain password security in a user-friendly way.
So now that we are using password managers both internally and externally we are safe right?!
Sadly, not. The above google phishing attack could very well still work if Last Pass supplies the password. The only way you can truly prevent that type of phishing attack is by implementing Multi-factor authentication.
With multi-factor authentication(MFA), to login to an account, you must have something you know, a password, and something you have, an authentication code you receive separately. Both Google and Facebook offer Multi-factor authentication. Popular ways to receive the authentication code is via text message, google authenticator, or Facebook code generator. We recommend using google authenticator as many other apps such as Facebook and LastPass are setup to use it as well.
On that note make sure your corporate LastPass accounts force users to use MFA along with the master password to access their account.
Note that users can also use twitter to login to many apps just like with Facebook and Google. However, twitter does not have MFA capabilities so we would discourage people from using twitter in that way.
You should also train your employees to enable login notifications on their personal accounts. Login notifications are exactly what the name implies. When someone logins to a user’s account they will get a notification, via a predetermined method. The user can then review this login. If it was in fact the user that triggered it they may ignore it. If it is unfamiliar, the user should immediately login to their account and change their password as an attacker may be in the process of taking over their account. Follow these links to checkout Facebook login notification and Google Login notification.