Week 4: Using Enterprise Password Managers to Combat Credential Reuse
Over the last few weeks, data breaches have been in the news and credential-stuffing attacks are on the rise. For example, a set of over 1500 Ring doorbell credentials is circulating after another 3000 were compromised in a probable credential stuffing attack. Credential stuffing is when compromised user credentials from one service are used to log on to a different service because the users didn't use unique login information. To avoid exposing our users, and therefore our systems, to this type of attack it is important to put in place policies banning password reuse--and to educate our users not to reuse passwords.
In a 2014 study, Stobert & Biddle found that their median participant had 27 different accounts, of which they used approximately 11 weekly. Because of this volume of accounts, if we expect our users to maintain unique credentials and also avoid writing them down in an insecure manner, we should provide them with a password manager on our enterprise systems which they can use to store the memorized secrets that they use on company systems.
In order to choose the best password manager for enterprise use, it's important to consider both user experience and security. Both 1Password and Dashlane score high marks on security, but user experience is also important. In a 2016 survey of enterprise password managers, Spanish researchers found that Dashlane and LastPass had the best usability scores across their five metrics, with 1Password coming third. Fortunately, both Dashlane and 1Password provide business plans for approximately $4 per user-month with comparable suites of enterprise management and security tools including 2 factor authentication. Given the potential impact of data breaches and the risk of credential stuffing attacks, that seems like a relatively low cost to help your users avoid the temptation to reuse passwords.
In a 2014 study, Stobert & Biddle found that their median participant had 27 different accounts, of which they used approximately 11 weekly. Because of this volume of accounts, if we expect our users to maintain unique credentials and also avoid writing them down in an insecure manner, we should provide them with a password manager on our enterprise systems which they can use to store the memorized secrets that they use on company systems.
In order to choose the best password manager for enterprise use, it's important to consider both user experience and security. Both 1Password and Dashlane score high marks on security, but user experience is also important. In a 2016 survey of enterprise password managers, Spanish researchers found that Dashlane and LastPass had the best usability scores across their five metrics, with 1Password coming third. Fortunately, both Dashlane and 1Password provide business plans for approximately $4 per user-month with comparable suites of enterprise management and security tools including 2 factor authentication. Given the potential impact of data breaches and the risk of credential stuffing attacks, that seems like a relatively low cost to help your users avoid the temptation to reuse passwords.
Comments
Post a Comment