How to protect your company’s passwords
Readers interested in cybersecurity may well recall the rather marvelous Troy Hunt’s list of email addresses and passwords which have been subject to data breaches in the near past.
Because the usernames and passwords are released publicly, several companies and organizations with interests in cybersecurity have begun to use Troy’s lists in order to improve the security of their systems.
Here are just a few of them – you can read the full list on Troy Hunt’s blog.
New breach: South African website ViewFines had 934k records breached this month including 778k unique email addresses, names, phone numbers and plain text passwords. 59% were already in @haveibeenpwned. Read more: https://t.co/APKtuI0YC7
— Have I Been Pwned (@haveibeenpwned) May 24, 2018
By using a “proper” password manager, an entire list of log-on credentials can be managed right across an organization, but – this is key – with access segmented by privileges.
Access to any list should be revoked and access levels changed as and when necessary, ensuring that promoted/demoted staff members only get access to the accounts they need and those who’ve been fired lose access immediately.
It’s a good idea to double-check existing passwords against the previously compromised phrases in Troy’s lists (“Pwned Passwords”) when setting up your credentials manager.
This is, of course, invaluable, as the use of a password which is circulating openly on the dark or “normal” web represents a potential danger.
Among software providers using the publically-available lists are 1Password and Okta.
1Password is an organization that Troy Hunt has partnered with to help protect user’s passwords.
Okta, on the other hand, is a Chrome browser extension which will tell you if your credentials have been compromised: every time you sign up for a new service and enter a password, the extension will tell you whether your choice is wise.
There is a full API to “Pwned Passwords” which is simplicity itself to use:
Also making good use of the lists is online MMORPG Eve, various e-commerce facilities across the globe, Bittylicious (a cyber currency trading platform) and even UK purchase cashback providers Quidco.
Shortly after the initial launch of “Pwned Passwords” in August, version 2 was released, allowing half a billion compromised login details to be cross-referenced by anyone who wishes to.
While it may seem that the existence of such lists and services which use them for free may soon ensure that their existence is no longer useful, human nature is such that people will continue, no doubt, to use passwords like password, p4ssword, 1234, qwerty, and their mother’s maiden or children’s names.
TechHQ recommends the use of a dedicated, commercial or open source password manager, in order to keep service users and staff relatively safe – or at least one step closer to safety.