There are two kinds of companies in the world: those that have been breached by criminals, and those that have been breached and don’t know it yet. Criminals are relentless.

Today’s cyberattacks have evolved into high-level espionage perpetrated by robust criminal organizations or nation-states. In the era of software as a service (SaaS), enterprise data is more likely to be stored on the cloud rather than on prem. Using sophisticated cloud scanning software, criminals can breach an enterprise system within seconds of coming online. And the cost of a data breach can be enormous.

As the crucial first line of defense against hackers, passwords have been used since the dawn of the Internet, and I believe they will continue to be used long after I retire.

Yet, the majority of company-related passwords fail to meet minimum security requirements — and the number of companies lacking multi-factor authentication tools or enterprise controls is staggering.

As a specialist in password cracking, I help lead IBM’s X-Force Red, an autonomous team of veteran hackers within IBM Security that helps businesses discover and identify critical vulnerabilities to cyberattacks. Our mission is to “hack anything to secure everything.”

One thing I know for sure: your enterprise system will be hacked. Password breaches are on the rise, and the vast majority of enterprise breaches can be attributed to poor password security. So, how can your business protect itself?

Strong password hygiene paired with an enterprise password manager, backed by company policies and multi-factor authentication, will reduce your risk. And in the age of cloud, zero trust security must be wrapped around every connection, every device, every user, every time.

To Improve Password Security, Reduce User Friction

Why are weak passwords so commonplace? With online accounts multiplying, password fatigue is on the rise. To make life easier, many people repeat the same, easy-to-remember password across multiple accounts. These weak passwords can be easily cracked, creating security vulnerabilities that allow cybercriminals to access company, employee and client data.

Whether passwords are stolen through phishing, malware or brute force attacks, they give criminals access to valuable company and/or personal information. This stolen information can be sold on darkweb marketplaces where it can be used to perpetrate multiple, ongoing attacks associated with the original breach.

A password manager can prevent issues before they arise by automating password resets and preventing unnecessary active directory locks — reducing user friction and lost productivity. When integrated across systems and even accessible outside of employees’ business assets, it can drive real business value. Yet only a fraction of companies purchase an enterprise password manager, citing cost as a factor.

I believe the investment cost of a password manager must be weighed against the losses associated with a breach and associated user productivity. For example, if users are locked out of their computers — and don’t have a company phone to perform two-factor authentication (2FA) — there is an immediate productivity loss while they call the help desk and wait to be unlocked.

Start with Good Password Hygiene

A good password provides a simple way to protect against the vast majority of cyberthreats. Let’s look at password habits that can minimize the impact of password weakness and help improve your organization’s security.

  • Go long! Use a 12-16 character string of numbers, special characters, upper and lowercase letters, symbols, and non-dictionary words. It would take several years for a brute force attack to crack such a password.
  • A no-repeat policy is best. 52 percent of all internet users admit they use the same password across many accounts. One breach can compromise your enterprise security.
  • Change passwords often, especially after a successful attack. And don’t share them with anyone or write them down on sticky notes.
  • Layer protection with two-factor (2FA) or multi-factor (MFA) authentication, ideally paired with a dedicated Authenticator app that can generate a unique and frequently changing code. Biometric authentication – fingerprints, retinal scans, voice signatures –can add security as part of MFA, but it isn’t foolproof. A secure password will always be an important component of biometric authentication.

9 Reasons to Use an Enterprise Password Manager

Frequent cycling of authentication secrets is one of the best defenses against compromise. A reputable password manager such as 1Password for enterprise generates unique credentials for each account and stores them securely in a vault where individuals, employees, or teams can access them using a master password. Here are nine reasons a password manager makes good business sense.

  1. Ease password overload: Cloud-based password managers provide the convenience of accessing the password across any device.
  2. No more weak passwords: Long, intricate passwords that would take hackers years to crack are effortlessly generated by password managers.
  3. Monitor password changes: A password manager helps support company security policies by monitoring how often passwords are changed, and that they meet company policies.
  4. Harder to hack: Password managers make it harder for criminals to steal identities as auto-generated passwords are not tied to the user’s identity and do not include personal details.
  5. Improve operational efficiency: Your IT help desk spends hours resolving employee password reset requests, a waste of business resources. A password manager eliminates these issues and improves IT and end user productivity.
  6. Protect against phishing and identity theft: A password manager will not autofill a phishing form if a user clicks on one by mistake. Not only will it recognize the false domain name, but it could also alert the security team of the event.
  7. Contain data breaches: By generating a unique password for each application, the password manager eliminates the data breach domino effect when a single account is compromised.
  8. Built-in two-factor authentication: Most business password managers enforce 2FA or MFA for users before they are allowed to access your company portal or applications.
  9. Better security than browser password management: Users often allow passwords to be saved in the browser memory to be auto-filled when logging in. This is not safe for your business. If the device is compromised, passwords can be stolen. With a password manager, the user must have a master password to unlock the vault.

Keep Your Secrets Safe From Criminals

The need for shared secrets will never go away – and 100 percent protection does not exist. Bottom line? Despite the security challenges, passwords are here to stay. What matters is how user secrets are being generated, managed and protected.

Yes, strides are being made toward password-free authentication. For example, Fast Identity Online 2 (FIDO2) promises to deliver a frictionless, secure online authentication mechanism. However, implementation will take time and we are not likely to see 100% adoption. What can you do in the meantime?

The good news: there are steps organizations can take to prevent and mitigate password breaches. Enterprises that invest in frequent penetration testing can quickly uncover and strengthen weak passwords.

In hacker circles, where I am better known by my online handle, EvilMog, I am a member of Team Hashcat, the password Cracking Team with over a decade of password-cracking competition wins. I am also the Chief Architect of X-Force Red, an elite IBM Security team that can be engaged to “break into” organizations and uncover risky vulnerabilities.

The truth is, people will continue to forget their passwords, use insecure credentials and repeat them across accounts. But you don’t have to let poor password hygiene increase your security risk.

A zero trust approach, backed by strong password policies, secure password management tools, employee education on best practices, and regular penetration testing can protect your enterprise networks from credentials-stealing cybercriminals.

Learn More

Read the Cost of a Data Breach 2022 Report.

More from Offensive Security

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

When the absence of noise becomes signal: Defensive considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Containers, Security, and Risks within Containerized Environments

4 min read - Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…

How an Attacker Can Achieve Persistence in Google Cloud Platform (GCP) with Cloud Shell

5 min read - IBM Security X-Force Red took a deeper look at the Google Cloud Platform (GCP) and found a potential method an attacker could use to persist in GCP via the Google Cloud Shell. Google Cloud Shell is a service that provides a web-based shell where GCP administrative activities can be performed. A web-based shell is a nice feature because it allows developers and administrators to manage GCP resources without having to install or keep any software locally on their system. From…