Are Your Passwords A Single Factor Of Failure?
Last week I received a wakeup call that I had been needing for a while now. The award-winning online password manager LastPass was hacked and the password hashes were stolen. For those not familiar with password managers, they use a master password to store all of your passwords in a single secure place that aims to prevent the infamous “Post-It note” password problem. LastPass stores your passwords online so you can access them from anywhere on any device.
The risk users of LastPass are now facing is an attacker cracking their master password and using that password to access all of that user’s credentials for every account they own. This begins to get really scary since users such as myself store passwords to every account they have including banking, investing, server systems, social media and email. This is much the same way your organization may use Active Directory as your single password for all of your services, including those in the cloud.
Secure Your Passwords with Multi-Factor Authentication
So how do we prevent our passwords from being that single factor of failure? We implement and use Two-Factor (2FA) or multi-factor authentication (MFA). MFA incorporates an additional physical factor into the authentication process. This second factor is usually something you have such as a cell phone that either generates a code or asks if the person logging into the account is actually you. This means an attacker would need both your username and password and your cell phone. Obviously this makes an attacker’s challenge of breaking into your account significantly harder, if not impossible. Let’s look at this process in action:
When I go to log into my LastPass account it asks me for my username and password.
You can see that I only need the username and password to log in and access all of my information. Nothing about this process guarantees that the person logging in is me since an attacker could be using my stolen password.
Enter the multi-factor authentication solution. This time when I go to log into LastPass I am presented with the same screen, but when I enter my credentials I receive an alert on my cell phone asking if I want to allow the login. I always have my cell phone and I can quickly approve or deny the login request. This puts me in full control and prevents attackers from taking over my account due to a security breach.
My specific scenario affected me on a personal level but there are many organizations that have been breached in the past few years due to their lack of MFA. Target Corporation was a high profile example where the lack of MFA led to a massive security breach. Had Target implemented MFA for access into their networks from the outside, they would likely not have been hacked.
JP Morgan Chase is another example where attackers who stole information on 83 million customers earlier this year gained access into the company’s network because a server reportedly lacked MFA. I can go on and on naming specific breaches that would have been prevented by multi-factor authentication because it really is a technology that stops attackers in their tracks.
Secure Your Organization’s Data On-Premises or in the Cloud with MFA
So how can MFA help secure your organization’s data? Multi-factor authentication can be used with most services both on-premises and in the cloud. Some examples include Amazon Web Services (AWS), Box, Citrix, Dropbox, Facebook, Microsoft Azure, Office 365, Salesforce, SharePoint, Twitter, VPN and WordPress. If an attacker were to steal your password to an MFA-enabled service, they would not be able to access your account or data, thus keeping your information safe.
SWC has experience deploying different multi-factor authentication solutions in a variety of scenarios. We can help your organization eliminate the single factor password weakness and dramatically increase your authentication security. We invite you to contact SWC about how we can help secure your data with a complimentary security assessment.
If you enjoyed this post from Tommy, please read a few of his past posts on related security topics.
Don’t Take the Bait – Tips for Protecting Yourself Against Phishers
Malware Protection | How to Prevent Another Sony Hack
How Can You Protect Your Organization From An IT Security Breach?
What Industries Are Facing the Most Security Issues?
From a Security Perspective, What is the Worst Case Scenario?
What Are Some Mobile Security Risks?
Tell Me About The Heartbleed Bug