In this day and age and for many reasons, employees still share passwords within the company, and quite often they share passwords outside of the company too – working with external contractors, freelancers and clients leaves no other choice. Through the years, this practice has been deemed risky and sometimes downright unethical, mainly due to security. One thing for sure though, without taking certain precautions the result can be compromised company data, that could cause the owner more than monetary damage. The company may also lose a good reputation that could have very lasting effects.
Worse, it may even result in company closure.
According to Verizon Data Breach Investigation Report or DBIR, 81% of breaches in company data are due to weak, compromised, and old passwords that have been reused. This has been a report that has existed since 2017 coming from the same source. The most recent statistic in 2019 shows that not much has changed, unfortunately.
It says 80% of data breaches are still caused by the very same reasons stated above. Added to that, 29% of such breaches involve the use of stolen credentials. This report was collated and extracted from a total of 73 sources with 41.688 security events. It was confirmed that out of these 40k plus cases, 2,013 were data breach incidents.
This type of threat to data security is a sobering reminder that for as long we still don’t have a replacement for the password, we must and should continue to look for ways to use them securely in order to protect our data. Additionally, the possibility of human error in terms of security could also become a “weak” spot that may be exploited by hackers.
An employee out of being “well-meaning” may inadvertently share his or her password which could potentially cause an unwanted breach of information regarding log-in credentials. Some may be outright motivated to earn some money by selling passwords to outside parties which is obviously illegal. So what are we doing to stop this?
The dangers of sharing passwords
Again, the habit of unauthorized sharing of passwords is the act of bypassing basic company security protocols. This exposes first and foremost the user, right after that, the company reputation. Both of which we would like to avoid.
Plain text sharing of passwords
When an employee shares an unencrypted plain text password it is the most likely to be hit by a data breach. It is equivalent to being naked in broad daylight as the information could also get lost in the process.
SSO (Single Sign-On)
It is an authentication method that lets users sign on to one or several accounts using only one password. It may be convenient in such a way that it gives the user more leverage in terms of access, however, it also increases the attack surface of the system. If the password is inadvertently shared and distributed it could cause a collapse of a whole security architecture. Moreover, companies working with external partners and clients often don’t have the luxury of integrating every single internal and external system (and user) to the SSO system.
Misuse of privileged credentials
A survey conducted by Centrify privileged access specialist company, found that around 80% of IT administrators and superusers for one reason or another share privileged access credentials with other employees. It is estimated that around 80% of privileged access security failure comes from compromised privileged access accounts.
Sharing via email or social media
Using these platforms for transmitting sensitive information is considered a very high risk. They were never intended for such a purpose and probably will never be. Maximum avoidance is highly recommended.
Rehashing old passwords
Reusing an old password that you might still be using, or maybe no longer use can open up your accounts to risks involving several breaches in one go. Any hacker that figures out a pattern in the way you create your password, especially when you reuse old ones in different platforms, he can make an intelligent guess when jumping from one platform to another. And when they get it your other accounts will be compromised too.
Sharing a password hidden in asterisks
Some people feel safe about sharing passwords that are in asterisks. They believe that anyone who shares his or her account won’t be able to see the password since it is coded. Well, nothing could be further from the truth. There is no way you could share your password with anyone without actually revealing what is behind the asterisks.
You would either end up telling them yourself, or they hack it. The thing is, there are actually ways to view hidden passwords and it doesn’t take longer than a quick Google search. All they need is the know-how and some patience to complete the task. Remember, a rehashed hidden password is as vulnerable as a password shared in plain text.
Using your mobile or personal device
As we advance in mobile technology, more and more functions are transferring from your regular PC to your iPhone or Android. Employees have the tendency to create and keep the password on their mobile devices outside of their office workstation. Now, this may seem to be harmless enough, however, the danger is when your phone doesn’t have enough security or some family member manages to get to the passwords that you have stored on your phone.
It then becomes data being compromised on the fly, so to speak.
More and more companies are now migrating to the cloud, mainly to improve business processes and storage. In general, this may be a good idea as it improves the company’s capacity and agility as an organization. Most of the cloud service providers claim that they have sufficient security.
However, a survey indicates that out of 12,000 cloud services, almost 80% of them still allow weak passwords. Although, it is maybe because they follow the rule of zero-knowledge, and it’s highly debatable if they need to provide stringent parameters on password creation. This they will have to do without turning off their customers.
Notwithstanding, work may still yet have to be done to strike that balance between security and the provider being able to scale up their business, otherwise, the risk is still there.
Securing your password
Password managers like PassCamp are designed to secure your passwords with the latest methods available. The common principle of these type of services is you can share your passwords in a protected environment where it is secured and encrypted 24/7. Often you share your keys, you and the people you share them with will be the only ones to see it and no one else.
These type of services also often assist in generating complex passwords. No more sharing via email or social media, no more messaging apps, no more worry.