Securing ways to share workplace passwords

Sponsored Feature When the first computer system passwords were set in 1961, few people needed to carry personal credentials to get through daily life. Nowadays, login credentials are ubiquitous across nearly every application, software and web service.

The results of a poll conducted on behalf of the National Cyber Security Centre published in April 2021 found that 27 percent of its respondents had at least four more password-protected accounts than they did 12 months before – with 6 percent reporting they had added more than 10 new accounts. This proliferation is one of the reasons why passwords have become a primary attack vector for cybercriminals. In fact, 81 percent of all data breaches are due to weak or stolen passwords.

Having to remember – or try to remember – a dozen or so regularly-used logins during the course of each working day is now a commonly-cited bane of 21st century life for both password holders and password administrators.

Despite the wealth of guidance when it comes to best-practice, passwords are often haphazardly set and stored. Personal and other passwords are shared incautiously between friends and family using insecure channels like email and other messaging media. The same passwords are frequently reused across different systems and accounts.

Passwords are also regularly shared between coworkers, but password management solutions can significantly mitigate the risks involved in colleagues using the same password to share access or data.

Overcoming the human factor

It comes as no great surprise, therefore, that password-related vulnerabilities have been identified as a chronic cause of many malicious data breaches. According to the 2022 Verizon 'Data Breach Investigations Report', 80 percent of hacking-related breaches involved compromised and weak credentials, and 29 percent of all breaches, regardless of attack type, involved the use of stolen credentials, such as passwords.

Because as highlighted all too often in the daily news, even the most frequently updated and strongest credentials can still be stolen in a data breach. 2FA is a form of multi-factor authentication (MFA) recommended as a best practice by the US National Institute of Standards & Technology (NIST) to reduce risk.

But the current Time-based, One-Time Password (TOTP) two-factor code process is fraught with complexity, for the following reasons:

- The user must access another device, or application, then quickly copy and paste, or manually transcribe, the code before it expires.

- If the user needs to share a login credential with others, the inconvenience of setting up two-factor codes is multiplied as every user must refer to that user for the code in order to complete the shared login.

- Verification codes sent via SMS are also known to be vulnerable to a "SIM port hack" that can send the code to a cyber crook.

- Most authenticator apps that store the codes for multiple accounts are actually locked to a specific device. So, if the device is ever lost, the user will have to start all over and reset 2FA on multiple sites…a tedious experience.

To address these pain points and promote the use of 2FA, Keeper Security has developed a fully-integrated security layer that adds two-factor codes directly in vault records. A Keeper user simply adds the two-factor code into the vault record field which can be automatically filled when logging in via the Web Vault or Browser Extension.

Make it easier than not using it

Experts at Keeper Security argue that a parallel approach is to leverage innovations in zero-trust and zero-knowledge security cloud services to address common challenges related to controlling passwords. Because they're not going away any time soon, and neither is our reliance on them.

"We really try to focus on two core aims," explains Zane Bond, head of product at the company. "First, naturally, there is increased security to protect users and protect company information to the utmost. But closely tied to that, we make sure that using our Enterprise Password Manager tool is easier than not using it."

Keeper Security's ethos was informed by a user response it calls the 'security adoption paradox'. This describes what typically happens when a new security product is deployed to a workforce.

"To begin with users are going to find it a little harder to adopt and become accustomed to – but once they're over that, they are going to be a lot more secure," says Bond. "So that's the trade-off – a bit more to do for a lot more security – and most users go along with that."

However, when those new security procedures tip too far up the complexity scale, people tend to decommit, Bond says: "While they understand the point of having more security, when it takes them longer to log into it, perhaps over a sluggish VPN connection that might stall their productivity, employees stop using them or find ways to bypass them."

Password reuse on the rise

Reuse of passwords – using the same password for more than one account – can result in a multiplicity of problems should that password become compromised.

Password reuse is rife. Individuals polled by the '2020 State of Password and Authentication Security Behaviors Report' admitted that they reuse passwords across an average of 16 workplace accounts, while respondents working in IT security say they reuse passwords across an average of 12 workplace accounts. Forty-nine percent of IT security respondents and 51 percent of individuals admitted that they are sharing passwords with their colleagues.

"Users do not always realise that hackers can steal their passwords in exfiltration hauls from third-party sources, and then make them available – freely or for resale –on the Dark Web," Bond warns. The risk of reused authentication is compounded when people use the same passwords for both work- and non-work related accounts.

Clearly, situations occur where sharing passwords is operationally expedient or essential. "Colleagues want to share information between each other as part of collaborative work – but it's important that both parties really understand the security dimension of how it's done," says Bond. "Sharing passwords of itself is not innately risky if done using password management software. But too often it is not."

Bond continues: "In a typical requirement, password information might get sent via email or text messaging, or via messaging platforms such as Slack or Microsoft Teams. People might be using any number of media and platforms, including those not approved by their company's IT security function."

Many such messaging tools and platforms maintain logs that will automatically track and copy user messages as they pass across them. "Users often aren't aware that some systems retain those logs – and the information they hold – forever. Deleting copies from Inboxes and Sent folders will not totally eradicate them, and if access to those logs is compromised and they are misappropriated, then the passwords go with them," Bond says. "So sharing credentials in written messages becomes risky because whatever avenues used might not be secure."

People share their passwords for a variety of reasons, ranging from budgetary constraints – making cost savings on user-limited licensed software – to operational short-cutting to ensure that project deadlines are met.

Forty-two percent of workers who responded to a poll by Survey Monkey share passwords (and accounts) to 'more easily collaborate with their teammates'. However, 38 percent of respondents indicated that they share passwords because it is the policy of the employer they work for, but the underlying reasons for such policies are unclear (it could, again, be about software cost control).

Mitigating contractors access

Third-party technology partners and contractors constitute a further reason for password sharing. Companies of all sizes work increasingly with multiple external business partners. These entities often need to remotely access a client's internal systems and processes, to upload documentation or access operational applications, for example.

This necessity exposes organisations to a broad range of IT security risks, as the password distribution pool is thereby widened.

"Third-party risk is a challenge that's growing," believes Bond at Keeper Security. "Even though you may have no concerns about their honesty and integrity, giving contractors reach into your internal IT can be like opening up your systems and your data to hackers."

A typical enterprise may have a host of security provisions – endpoint detection, anti-virus/malware software, firewalls – and it all might be doing an effective job, he adds. But when even a trusted third-party enters a client company's environment, the devices they bring in, the usage patterns they have, may not align with established security policies, leaving them exposed to infiltration by anyone who has access to the contractors' systems.

"Imagine a scenario where an IT contractor needs to get access to one of your database application servers to resolve a configuration fault," Zane continues. "The way many businesses respond to that situation is, 'We'll just give the contractor temporary access to our server through the VPN, and when the job is completed, we'll turn it off'."

VPNs, however, are "way too much access," Bond says: "It means that the third-party contractors can scan any server, can listen to all the traffic, all the internal messaging broadcasts. Potentially, you are introducing a ton of risk."

Keeper Security's Keeper Connection Manager (KCM) is an agentless/clientless remote desktop gateway that can be used with on-premises or cloud environments. It provides IT and DevOps teams with direct access to Remote Desktop Protocol, Secure Shell Protocol, databases and Kubernetes endpoints, via a secure session through a standard web browser.

"KCM enables user organisations to adopt zero-trust remote access to IT infrastructure – which, by the way, the majority of VPNs do not support," says Bond. "To access a remote machine, DevOps and IT personnel click on the server or desktop they want to access from the interface. KCM is integrated with our password and secrets management solution, so all passwords and keys are protected in an encrypted vault."

To further facilitate protected shared access, Keeper Security has One-Time Share, a feature that enables Keeper users to securely share records with anyone on a time-limited basis, using the company's zero-knowledge encryption and zero-trust security model.

"One-Time Share links are restricted to the recipient's device only, and automatically expire at a time of the Keeper user's choosing," Bond explains. "One-Time Share records can only be used on one device. Even if the user forgets to 'unshare' the record, it will expire automatically, and the recipient access is revoked."

Sponsored by Keeper Security.