What’s going on?
The 2020 Verizon Breach Report shows that breaches are up nearly 100% from last year, and threats are evolving at an alarming rate with more and more people working from home since March of 2020. This marks the fourth year in a row that stolen credentials are the number one source of breaches and hacking. (For our purposes here, hackers can be defined, at a very high level, as one of three things: those utilizing stolen or brute-forced credentials; those exploiting vulnerabilities; attackers using backdoors and command and control [C2] functionality.) Four years in a row is certainly long enough to call it an established trend, so let’s talk about why this is happening.
To start, we’ll explore the vectors where attacks are happening less. Websites are getting smarter about SSL/TLS, so plain text interception attacks are on the decline. Browsers like Google Chrome and Firefox are getting more aggressive about protecting against man-in-the-middle and eavesdropping attacks, leading to a decrease in IP spoofing, SSL hijacking, and the like. While it’s great news that these types of attacks are trending downward, the consequence is that now the only way in is with usernames and passwords. That’s great news for attackers since most people are lazy when it comes to their passwords... but bad news for users.
Credential Stuffing: when hackers exploit users that reuse passwords across different services
Do you use one key for your house, storage unit, office, safe, bike lock, and car? Probably not. It should really be no different when it comes to your different online services; if you use one password or a variation of one password for your Netflix, email, bank account, E*Trade, etc., then guess what? If someone steals your password, they’re going to have a field day with all that data. Maybe you’re not the type of person who uses a similar password for everything... but the average person certainly does. A recent blog published by eBanking platform Q2 shows that most people have more than 200 online accounts and only 8-10 unique passwords. So if I guess or steal one of your passwords, that means I’ll have access to at least 20 of your accounts (on average, of course).
Password managers for the win
Obviously it would be a huge pain to have to create a complex, really-hard-to-guess, unique password for each of your ~200 accounts. Wouldn’t it be great if there was a tool that could do that for you? Aha! There is. It’s called a password manager, and you should 100% use one. You can’t really go wrong when picking one: there’s LastPass, OneLogin, KeePass, Dashlane, and plenty more. Even your web browsers like Chrome, Firefox, and Safari have native password management capabilities (though we’d warn against those as most of them store your passwords on your computer in an unencrypted form).
Either way, any password manager is better than using the same password for all accounts. Use one for your personal accounts; use one for your work accounts; use one for everything! Just use it, please.
Why listen to me?
Even as a security expert, I didn’t realize how important a password manager was until a few years ago. I used to have three passwords: one without numbers, one with numbers, and one with numbers and symbols. The end. But then I got smarter, and I started using LastPass – I’m safer; my company is safer; my family is safer; and everything is just oh-so-much better (and easier). If you don’t believe me, maybe you'll listen to Forrester Analyst, Brian Kime, who claims that a password manager “could save your marriage”... just saying.
It’s not hard to start using either, and it doesn't have to be a whole big event. Download the password manager and as you go about your normal day logging into sites or services, just spend 30 seconds max changing your password for each site you visit. That’s all there is to it!
And if you’re wondering, “what if someone steals the password for my password manager?!” Well, I’d recommend using a device where you can use your fingerprint or face scan to login; in lieu of that, a password manager will also generate a random, nearly impossible-to-guess password for you. So just do it.
The cybersecurity journey is never over since bad actors are constantly evolving along with new technologies. Password managers are just the first step to protecting your sensitive data. But as we mentioned at the beginning, stolen passwords are still on the rise. So, along with password managers, organizations need a strategy to ensure their data is safe if/when credentials are compromised. That’s where ALTR can help.