When you sign up for a new account somewhere, what’s the hardest part in choosing a good password? For me, it’s coming up with a passphrase, which is what I use. I’m sure most everyone is familiar with the concept of passphrases, which is the use of a phrase instead of a single password — for example, “The moon is made of ch33se!” That passphrase is both long and complex. However, sometimes, I sit there trying to think of a good passphrase for a while, and that gets annoying.
Password managers for the win
This leads me to our first point within the topic for today, which is password managers. I am a huge fan of password managers because they make my life more secure and easier. When working at an MSP (managed service provider) supporting hundreds of clients, we used a password manager to gain access to all our clients’ passwords. They were stored securely online, and we could access them from anywhere. We were also able to see who had accessed passwords, which was good for accountability.
Some password managers have the ability to automatically change passwords for accounts at predetermined rotation schedules, which is very handy. Before I used a password manager, I was guilty of password reuse. <Insert frowny face here.> It was just too hard to remember unique passwords for all the sites I logged into. Then, I met the password manager, and now I live a harmonious, unique password life. I can access any password from my phone or computer via a secure connection. It also provides a handy browser plugin to fill in credentials for me, once I’ve authenticated to the plugin. If you’re not already using a password manager at work and at home, I’d highly recommend it. There’s quite a few of them out there, so take some time and review them and what their users are saying about them before deciding on one!
Multi-factor authentication (MFA)
Now, on to our second point for today: multi-factor authentication (MFA). If you’re not familiar with MFA, it’s the idea that besides entering your password, you need to provide another factor of authentication, such as a fingerprint or a unique code. Many MFA solutions rely on a phone app or a dongle with a five- or six-digit code that changes every minute or so. When you log in with MFA, you enter your username and password, along with the current five- or six-digit code on your app or dongle.
Why on earth would we want to go through this hassle? Simple: to prevent successful password attacks. How many of you have your child, spouse, girlfriend, favorite sports team, or pet’s name in your password? I’d venture to say many of you. I can find this information on social media and then use a handy little script to generate a password list that just might crack your password. In today’s world of advancing threats, passwords are becoming too easy to guess or bypass. With MFA, having someone’s username and password will not get you access to their account — you’d still have to gain access to the factor of authentication, such as the app on their phone.
Where to use MFA
In my opinion, all services accessible from the internet (VPN, Citrix, RDP, webmail, etc.) should have MFA implemented on them. These services are exposed and at risk of being exploited by password attacks. You may say to yourself, “It’s okay — the account will lock out after three login attempts.” Sure, that may be, but now they’ve caused a denial of service attack for that user, and I’m sure your helpdesk doesn’t want to deal with that phone call! Plus, by default, the administrator account on Windows computers doesn’t lock out. The evildoers can brute force the administrator account until the cows come home!
Maybe you have a SIEM, and you identify these attempts in a daily report and then address it by blocking the source IP address in your IPS or firewall. If so, surely by now you’ve realized the attackers are coming from different IP addresses in different countries. This is because they’re proxying through servers set up at various cloud vendors to disguise their location. Plus, if you only see this once daily, they could attack overnight and may succeed!
Protect your infrastructure
Take it from someone who has investigated too many breaches that were caused by successful password attacks on public-facing services — use MFA. There are many MFA solution vendors out there, and most of them are pretty simple to set up. The price you pay for an MFA solution far outweighs the cost of a data breach.
Well, that covers it for today. Password managers and MFA for the win! If you have any experiences with either or would like to ask the community questions regarding these topics, please comment below and let me know — I’d love to hear from you!