Password Managers Under Attack: What’s the Business Impact?

It was only a matter of time before the headlines changed.

We’ve been reading “Megacorp Hacked – Millions of Passwords Stolen” for years – and savvy consumers have taken notice. Those folks have moved away from reusing a single username and password across multiple applications and have started using password managers to store unique passwords for each site and app they use, locked up with a single master password.

What does this mean for SMBs?

It means the bad guys know that our passwords are the route to our money. It means businesses should be keenly aware of the risks associated with employees storing their work credentials in password managers such as Dashlane, LastPass, etc. Once an employee’s master passwords get breached in these types of apps, criminals have the keys to unlock any business app, thereby providing a direct path to sensitive corporate data.

No PasswordsRather than relying on consumer solutions, companies can invest in a corporate-grade identity management solution such as Centrify that provides single sign-on (SSO) to all corporate apps as well as multi-factor authentication to ensure work data stays on lockdown. Employees will no longer need a password manager because they’ll have secure SSO access to everything they need for business. This means no more passwords to store or remember, all the benefits of multi-factor authentication, app access policy that’s context-aware, and reporting and management for business-level visibility.

In addition, solutions such as Centrify enable businesses to manage privileged access to (and within) apps. That way IT can provide access to only the specific apps and data a given employee needs in order to work effectively, limiting the attack surface and the risks that come from over-privileged access. And best of all, thanks to forward-thinking app vendors and enterprise identity solutions, app passwords can often be eliminated entirely. Instead of transmitting passwords that can be stolen, enterprise identity solutions such as Centrify use SAML and other standards to authenticate users with one-time secure tokens that can’t be re-used.

While cloud-based apps typically do a good job of encrypting data in motion, many don’t provide any further security or access policy above the simple step of using HTTPS when accessing the app. While that’s critical for minimizing snooping and unauthorized access, it can’t stop malicious actors from accessing data if they can steal the password to the app.

But we’ve seen enough breaches in the cloud (just ask Jennifer Lawrence) to understand that protecting your cloud apps requires more than just traffic encryption. Businesses, even smaller ones, require something much more industrial in strength.

If your employees are potentially storing work passwords in consumer password management apps, consider warning them of the risks and providing them with a better option. Better options are out there and are surprisingly affordable.

I look forward to the headline that reads, “Passwords are Dead. SAML, OATH, OAUTH, and MFA Adopted Everywhere.”