Security

CYBR650 Blog #5: Passwords-Storing, Securing, Sending

As the IoT (Internet of Things) grows, the number of usernames and passwords we all create and somehow have to remember expands as well. Bank accounts, social media, email, even your son’s Xbox Live login details can contain credit card numbers and other private info; if this data falls into the wrong hands, fraudulent charges and identity theft can occur. While it may seem like an easy fix to just use the same password for every account, I would strongly advise against it (if someone gets your password, they will then have access to everything).

As most know, keeping a Post-it note stuck to your computer containing your login information is not ideal, nor is compiling it all in a Word document on your computer, saved under “Do not Look.” So, what can be done regarding the safety, accessibility, and redundancy of your login information? Also, what is the best way to send and receive passwords in the workplace?

First, let’s discuss storing and securing passwords; since we are living in the years of having an app for everything, yes, there is an app for this too. Password managers are programs that store numerous usernames and passwords and only require a single password to access them. Coupled with multi-factor authentication, such as requiring a text message or email verification, a password manager is an excellent way to remember and safeguard access to some of the most sensitive information sources you have.

Password managers can also fill out forms automatically, can sync across macOS, Android, iOS, and Windows, and can even scan the dark web for compromised account info as well as record shopping receipts. There are several products to choose from, including my personal favorites Keeper Password Manager & Digital Vault, and Dashlane.

You can also use your internet browser to store passwords and auto-form data. While this is very effective for remembering them and simplifying the process of logging into websites, anyone who accesses your computer can then benefit from not having to remember your passwords as well.

Now, what is an appropriate method to say, securely send sensitive login credentials in the workplace?

Well, you could accomplish this by using multiple methods. You could simply write it down on a piece of paper and manually deliver it; this is probably the most straightforward and secure process as long as it is shredded after (although nobody can guarantee that this will be done). As stated before, you could also use a password manager that keeps multiple usernames and passwords by uploading them to the program and then giving employees information on how to access it; this method would be sufficient as long as none of your personal account information is stored in it. Next, you could send the passwords through an email, such as with Gmail, using confidential mode. For further details of how to use confidential mode, see below.

  • On your computer, go to Gmail.
  • Click Compose.
  • In the bottom right of the window, click Turn on confidential mode.
  • Set an expiration date and passcode.
  • Click Save.

By choosing confidential mode, you can select an expiration date which will erase the message after a set amount of time (maybe just a day or two and tell employees they need to access it immediately). Using a password to access the email, you can ensure nobody else can open it unless they are who you originally sent it to. Other email services have encryption options, which work in the same manner.

Of course, there are several other ways to send the data securely. You could use an encrypted USB or another form of a removable storage device; however, if it gets misplaced or stolen, that information could be potentially retrieved. You could also send it via a chat service or text message on a phone; although, in this method, those messages do not get deleted often, expanding the window of possible unauthorized access.

Single sign-on (SSO) authentication allows users to access multiple accounts, services, and applications utilizing a single login (such as a username and password). I use SSO quite often in both my professional and business life, as Google’s suite of applications (which I love) allows for simple authentication across different domains. As we all know, remembering passwords for each service we use can be a chore, so SSO makes life much easier.

SSO achieves multiple-system authentication by four main steps. First, for this example, a user is presented with a website they wish to use. To gain access to the website, the site would send the user to a central SSO login tool, thus granting the ability for the user to enter their credentials. Next, the SSO domain would authenticate the entered credentials, either validate or deny the user and then create a token for that user (if they are approved). Finally, the user would then be sent back to the original website they were trying to access, but this time, they would be in possession of an embedded token which would serve as proof of authentication; with this token, they can access any websites and applications that share the central SSO domain (Swoop, 2019).

SSO is quite secure with proper implementation as it eliminates the chance of using multiple weak passwords (and forgetting them) and makes it easier for administrators to manage and audit logins. By utilizing SSO, the vast number of usernames and passwords we have to remember (and are at risk for attack) are significantly limited, offering us the chance to focus on creating (and securing) a single, sophisticated SSO credential.

I hope this information helps you maintain control of your access to the digital world. As losing a single password can become quite the headache, it is crucial sometimes to use tech to access tech, if that makes sense.

References

Swoop. (2019, May 30). What Is Single-Sign-On Authentication & How Does It Work? Retrieved May 23, 2021, from https://swoopnow.com/sso-authentication//.

Colby, C. (2020, August 06). 9 rules for strong passwords: How to create and remember your login credentials. Retrieved May 23, 2021, from https://www.cnet.com/how-to/9-rules-for-strong-passwords-how-to-create-and-remember-your-login-credentials/.

Categories: Security

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s