There are two kinds of companies in the world: those that have been breached by criminals, and those that have been breached and don’t know it yet. Criminals are relentless.

Today’s cyberattacks have evolved into high-level espionage perpetrated by robust criminal organizations or nation-states. In the era of software as a service (SaaS), enterprise data is more likely to be stored on the cloud rather than on prem. Using sophisticated cloud scanning software, criminals can breach an enterprise system within seconds of coming online. And the cost of a data breach can be enormous.

As the crucial first line of defense against hackers, passwords have been used since the dawn of the Internet, and I believe they will continue to be used long after I retire.

Yet, the majority of company-related passwords fail to meet minimum security requirements — and the number of companies lacking multi-factor authentication tools or enterprise controls is staggering.

As a specialist in password cracking, I help lead IBM’s X-Force Red, an autonomous team of veteran hackers within IBM Security that helps businesses discover and identify critical vulnerabilities to cyberattacks. Our mission is to “hack anything to secure everything.”

One thing I know for sure: your enterprise system will be hacked. Password breaches are on the rise, and the vast majority of enterprise breaches can be attributed to poor password security. So, how can your business protect itself?

Strong password hygiene paired with an enterprise password manager, backed by company policies and multi-factor authentication, will reduce your risk. And in the age of cloud, zero trust security must be wrapped around every connection, every device, every user, every time.

To improve password security, reduce user friction

Why are weak passwords so commonplace? With online accounts multiplying, password fatigue is on the rise. To make life easier, many people repeat the same, easy-to-remember password across multiple accounts. These weak passwords can be easily cracked, creating security vulnerabilities that allow cybercriminals to access company, employee and client data.

Whether passwords are stolen through phishing, malware or brute force attacks, they give criminals access to valuable company and/or personal information. This stolen information can be sold on darkweb marketplaces where it can be used to perpetrate multiple, ongoing attacks associated with the original breach.

A password manager can prevent issues before they arise by automating password resets and preventing unnecessary active directory locks — reducing user friction and lost productivity. When integrated across systems and even accessible outside of employees’ business assets, it can drive real business value. Yet only a fraction of companies purchase an enterprise password manager, citing cost as a factor.

I believe the investment cost of a password manager must be weighed against the losses associated with a breach and associated user productivity. For example, if users are locked out of their computers — and don’t have a company phone to perform two-factor authentication (2FA) — there is an immediate productivity loss while they call the help desk and wait to be unlocked.

Start with good password hygiene

A good password provides a simple way to protect against the vast majority of cyberthreats. Let’s look at password habits that can minimize the impact of password weakness and help improve your organization’s security.

  • Go long! Use a 12-16 character string of numbers, special characters, upper and lowercase letters, symbols, and non-dictionary words. It would take several years for a brute force attack to crack such a password.
  • A no-repeat policy is best. 52 percent of all internet users admit they use the same password across many accounts. One breach can compromise your enterprise security.
  • Change passwords often, especially after a successful attack. And don’t share them with anyone or write them down on sticky notes.
  • Layer protection with two-factor (2FA) or multi-factor (MFA) authentication, ideally paired with a dedicated Authenticator app that can generate a unique and frequently changing code. Biometric authentication – fingerprints, retinal scans, voice signatures –can add security as part of MFA, but it isn’t foolproof. A secure password will always be an important component of biometric authentication.

9 reasons to use an enterprise password manager

Frequent cycling of authentication secrets is one of the best defenses against compromise. A reputable password manager such as 1Password for enterprise generates unique credentials for each account and stores them securely in a vault where individuals, employees, or teams can access them using a master password. Here are nine reasons a password manager makes good business sense.

  1. Ease password overload: Cloud-based password managers provide the convenience of accessing the password across any device.
  2. No more weak passwords: Long, intricate passwords that would take hackers years to crack are effortlessly generated by password managers.
  3. Monitor password changes: A password manager helps support company security policies by monitoring how often passwords are changed, and that they meet company policies.
  4. Harder to hack: Password managers make it harder for criminals to steal identities as auto-generated passwords are not tied to the user’s identity and do not include personal details.
  5. Improve operational efficiency: Your IT help desk spends hours resolving employee password reset requests, a waste of business resources. A password manager eliminates these issues and improves IT and end user productivity.
  6. Protect against phishing and identity theft: A password manager will not autofill a phishing form if a user clicks on one by mistake. Not only will it recognize the false domain name, but it could also alert the security team of the event.
  7. Contain data breaches: By generating a unique password for each application, the password manager eliminates the data breach domino effect when a single account is compromised.
  8. Built-in two-factor authentication: Most business password managers enforce 2FA or MFA for users before they are allowed to access your company portal or applications.
  9. Better security than browser password management: Users often allow passwords to be saved in the browser memory to be auto-filled when logging in. This is not safe for your business. If the device is compromised, passwords can be stolen. With a password manager, the user must have a master password to unlock the vault.

Keep your secrets safe from criminals

The need for shared secrets will never go away – and 100 percent protection does not exist. Bottom line? Despite the security challenges, passwords are here to stay. What matters is how user secrets are being generated, managed and protected.

Yes, strides are being made toward password-free authentication. For example, Fast Identity Online 2 (FIDO2) promises to deliver a frictionless, secure online authentication mechanism. However, implementation will take time and we are not likely to see 100% adoption. What can you do in the meantime?

The good news: there are steps organizations can take to prevent and mitigate password breaches. Enterprises that invest in frequent penetration testing can quickly uncover and strengthen weak passwords.

In hacker circles, where I am better known by my online handle, EvilMog, I am a member of Team Hashcat, the password Cracking Team with over a decade of password-cracking competition wins. I am also the Chief Architect of X-Force Red, an elite IBM Security team that can be engaged to “break into” organizations and uncover risky vulnerabilities.

The truth is, people will continue to forget their passwords, use insecure credentials and repeat them across accounts. But you don’t have to let poor password hygiene increase your security risk.

A zero trust approach, backed by strong password policies, secure password management tools, employee education on best practices, and regular penetration testing can protect your enterprise networks from credentials-stealing cybercriminals.

Learn more

Read the Cost of a Data Breach 2022 Report.

More from Offensive Security

You just got vectored – Using Vectored Exception Handlers (VEH) for defense evasion and process injection

10 min read - Vectored Exception Handlers (VEH) have received a lot of attention from the offensive security industry in recent years, but VEH has been used in malware for well over a decade now. VEH provides developers with an easy way to catch exceptions and modify register contexts, so naturally, they’re a ripe target for malware developers. For all the attention they’ve received, nobody had publicized a way to manually add a Vectored Exception Handler without relying on the built-in Windows APIs which…

IoT exploitation during security engagements

9 min read - During two separate security engagements, I discovered command injection vulnerabilities in two embedded devices. Discovering each vulnerability had its unique challenges. One is a classic command injection vulnerability while the other details a "blind" command injection vulnerability, which provides an interesting contrast of two vulnerability types you may commonly see in IoT systems. In addition to this technical analysis, the details surrounding the vulnerability research process, how I exploited these devices to accomplish the objective at hand and the benefits…

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today