Your password could be your weakness: transform it into your greatest strength.

A few years back, I received a call from a friend of a friend asking for help with a delicate situation involving blackmail, a hacked SysAdmin’s personal computer, and stolen credentials. I agreed to help and asked to be connected to them.

Backpacker navigating the secure path of password management between cliffs of padlocks under a clear sky.
Embarking on the journey of cybersecurity, a password manager is your reliable guide, securely locking away your precious data in the vast landscape of digital threats.

When I arrived, the CEO was panicked, the SysAdmin was cross eyed, and behind the COO’s cool jokes was a nervous laugh. It was a complex situation. I hired a friend of mine to work with me to do an Active Directory audit while I investigated Google Workspace and other aspects of the predicament.

The client didn’t have managed antivirus or EDR (Endpoint Detection and Response) solutions installed on their computers. All the client had was generic Windows Defender AV, which the client could not monitor. They had no way of knowing if their computers were compromised, a stray VPN credential was being abused, or if something else was going on.

Unsurprisingly, two-factor authentication was not enabled. 

As I looked around the client’s environment, I found what I usually find when I walk into a situation like this: two-factor authentication (2FA) was disabled in Google Workspace. Additionally, we found that virtually everyone was capturing their passwords in their unmanaged Chrome browser password manager.

Chrome browser’s password manager is on by default. It’s easy to use, and it’s always there. Does that mean that it’s a good way to store your passwords? In the cybersecurity field, we call this “Shadow IT” because it’s an aspect of an IT environment that is difficult to see or control, which introduces risk.

The SysAdmin had 400 passwords, which provided access to the company’s most sensitive systems, improperly stored in the Chrome password manager. On top of that, he was logging into this account on his personal computer at home. It was an unmanaged, insecure computer containing the keys to company accounts… and someone was able to get into his computer and use it to record the SysAdmin during a private moment.

This lack of security enabled the blackmail situation to arise…

What went wrong? How did this happen?

1.     The company wasn’t using a proper password manager where you can enforce security policies, which would have prevented a hacker from accessing the passwords remotely.

2.     Because a managed password manager wasn’t being used, and employees (sadly including the SysAdmin) were not educated on how to create strong passwords, it appears that the hacker was able to find a reused password and break into the Google Workspace which contained the collection of passwords along with access to company’s accounts and system infrastructure. If you reuse a password, that puts you in danger of a credential stuffing attack, where a hacker finds one of your passwords that was a part of a breach and reuses it to log into a different account with the same password.

3.     2FA wasn’t enforced on Google Workspace. Even with a reused password, 2FA would offer some protection against unauthorized login attempts.

What steps did we take to help prevent this from happening again in the future?

  • We immediately enforced 2FA across the company’s entire Google Workspace domain.

  • We deleted all of the local password data stored on the computers across the office.

  • We loaded Antivirus / EDR onto the machines and started running scans to see if there were any local infections present.

  • And of course… We implemented an enterprise grade password manager and locked it down using policies. Some of those policies included:

    • Mandating that the password manager could only be accessed from within the company’s office by locking it down to the Office’s IP address. We allowed the C-suite to access the password manager remotely so they could work outside of the office.

    • Enforced 2FA across anyone who was using the password manager.

    • Rotating the passwords wherever possible to prevent reuse of stolen or compromised credentials.

    • We spoke to the entire company about good password hygiene and showed them how to use the password manager.

Less passwords to remember, more time to think about other stuff.

Now, let's cover how password managers reduce cognitive load. We all know that coming up with a new password can be mentally taxing and requires effort to remember it. Every time you forget a password, you must reset it, taking additional time away from your day which adds up over time. Simply remembering and typing a password over and over again can be cumbersome. Or worse yet, your reused password can be used to hack your accounts and your company, which can cost 10s, if not hundreds of thousands of dollars. The stress from a cyberattack is a cognitive burden you certainly want to avoid.

Key Takeaways.

  • Improper password management can lead to significant security risks.

  • Unmanaged browser password managers, like Google Chrome's, may not provide the necessary level of security for sensitive company data.

  • Managed password managers can enforce security policies, help create strong passwords, and prevent credential stuffing attacks.

  • Two-Factor Authentication (2FA) should be universally enforced for added protection.

  • Implementing an enterprise-grade password manager and educating employees on good password hygiene can greatly improve overall security.

  • Managed password managers reduce cognitive load, freeing up mental resources for other tasks.

How we can help:

With a properly managed password manager, you can stop typing passwords, worry less about creating a secure password, and start focusing on your business. With Be Co’s approach to password managers and authentication, we make logging in easy, quick, and highly secure. We can also help you centrally and efficiently manage all of these tools. Get in touch with us for a free consultation.

Randall Bellows III

Founder of Be Co - Technology Consultant, vCIO, Creative

https://beco.technology
Previous
Previous

What is SIM Jacking?

Next
Next

Layering your company’s security: a beginner’s guide.