In a recent blog post titled 6 Email Security Tips For Small Businesses in 2021, I discussed how adopting proper password practices and routines would enhance the security of your email account. This statement can be extended outwards to anything that would require the use of a password. In this post, we’re going to go over the fundamentals of account authentication, passwords, and why password managers are beneficial for small businesses. I figure a disclaimer should be added here that I am in no way affiliated with, or accepting monetary compensation from, Bitwarden (the Password Manager I discuss at lengths in this post).
The problem with passwords:
I’ve done quite a bit of reading over the years on the problem with passwords (1, 2, 3) and come to a few conclusions of my own on what the common problems with passwords are. Although backed by writings from other individuals, this section is largely personal opinion. I don’t want to put forth the idea that I’m an expert in user authentication or password management, so I figure a second disclaimer is warranted.
They require us to remember a very specific string of words/characters.
Back before the rise of social media, smartphones in our pockets, and a predicted 1.7 billion+ websites globally, I can recall a time where I only had maybe 10-12 websites that I was registered on and were important enough for me to remember the password to. Like many others probably did, I used a word, followed by a number (usually a 1), followed by a symbol (usually an exclamation mark) when creating a password for a website. This password was often the same or very similar to the password I used on the last site I registered for. We didn’t hear about or experience the website compromises like we do today. But as the Internet matured, so did the number of websites I registered on. 12 accounts soon bloomed into 30, which turned into 60, and eventually landed me at the 300+ accounts I have stored in my Bitwarden Password Manager today.
Now, I can’t say that many individuals online, especially those reading this, would have 300+ accounts to remember passwords for. But I can say that if I was following recommended best password practices and using complex passwords for each of these sites, there is NO WAY I’d be able to remember them all. It’s hard enough to remember the few passwords that Bitwarden doesn’t store for me! We’re also at a disadvantage in 2021 with smartphones being inside of our front pockets. When we register on a new app we just downloaded, we are not typically required to put that password in again until we uninstall the app or it forces us to update or confirm our security settings. As such, we can sometimes go months or even years without needing to type that password in again. This then becomes an issue when we do eventually need to recall the password we used. This is also why many individuals just default to using one of the same passwords they have remembered for years.
There is no universal standard for password requirements.
As someone who spends hours on their computer every day and has done a lot of self-learning in privacy/security fields, this one really grinds my gears! There is currently no Universal Password Policy out there that website and service developers must following when asking you to register (and for good reason – which I’ll discuss below). This means that when I register on Site A, it might ask me for a password that is at least 8 characters, has 1 number, 1 symbol, and one uppercase letter. Site B, however, might require that my password be at least 12 characters and include a number or symbol and throw an error when we input any password longer than 24 characters. Because there’s no standard in place, and the systems and architecture used to build out these websites and services can be vastly different, it creates headaches for the users who are tasked with registering an account. But it’s not like we could just define a universal standard either. Who would make the rules? How would it be enforced? What if Site B’s system can’t have % signs in their passwords? This would never work…
So the end-user (which is us) is tasked with creating passwords of varying complexity, not reusing them across different websites, apps, and services, and are often told that those passwords should be updated frequently (this is incorrect, by the way). This becomes a huge issue that leads to the need to reset that password and the potential for the cycle to repeat itself.
Password resets are also terrible and often terribly designed:
The problem with passwords doesn’t just stop at the password, it also bleeds into other areas of account security as well. Password resets are a necessity with every account you register online. The first problem with password resets is that the more we are tasked with resetting, updating, or otherwise changing our password, the more likely we are to forget or improperly store that password. In actual practice, I don’t ever recommend that users update their passwords more than once a year unless they have reason to believe that password has been compromised or their device(s) has/have been infected with malware. The second problem I have with password resets is that they don’t generally follow good security practices. We typically have 2 options to reset our password for the majority of online accounts:
- I can get a link sent to my email
- I can get a code texted to my phone
I don’t particularly like either of these methods when it comes to security. Why? Because if someone has access to either my phone, my phone number via a SIM-Jacking Attack, or the email account I used when I signed up to that website, they are likely able to take over that account. This isn’t a huge issue with some websites, but I certainly want my Facebook or Apple ID or bank account to have stronger methods in place. Some companies are realizing these things and are requiring multiple steps in order to reset your password, which is much better.
I’ve done a lot of thinking on what my ideal password reset scenario would look like for the general public, and I honestly haven’t gotten very far. It would be neat to integrate it with services like “Sign in with Apple/Google,” but that centralizes the process and leaves out a big chunk of the population on Android devices or those without Google Accounts. Security questions were also out of the question as people share common information about themselves in “viral” Facebook posts on the daily that is often reflected in these security question prompts during registration. I then considered recovery codes that are provided at registration, but they are often improperly stored, not stored at all, or lost before they are needed. The best solution I was able to come up with was requiring everyone to use one-time passwords as a second mode of authentication and then integrating that into the password recovery process like this:
- The website requires that I use OTP two-factor authentication (Authy, Aegis, Google Authenticator, etc.)
- I click some sort of button that says I forgot my password on the login page
- I input the email I used when I registered
- It asks me for a one-time password from my 2FA app
- It sends a password reset link to my email
This would increase the difficulty of an attack as the individual attacking said account would need direct access to a user’s mobile or other physical device before being able to gain access to the account or reset the password. But, it would also require many users who are not currently using OTP apps to learn yet one more thing. Maybe the smarter security folk will come up with a solution that is both secure and incredibly easy.
What can you do differently as a user/manager/owner?
The answer is actually pretty simple on the surface: adopt stronger password practices. This issue is seeded much deeper than that though because there’s a lot to comprehend and learn. Telling someone to “just download Bitwarden and start using it” may be realistic for some individuals (like myself), but it’s certainly not going to produce adequate results with every individual or small business. There’s a lot of setup involved with using a password manager. ESPECIALLY when you’re tasked with getting a solid system implemented for your entire organization. Then you have to teach everyone how to use the software, keep their password manager account secure, not fall for phishing attacks, properly input new websites and logins into the vault, etc. etc.
Once you get a proper password storage system in place and everyone knows how to use it, it will be a big step in the right direction for strong organizational security. Thankfully, many password managers have onboarding videos, specialists, and dedicated avenues for support that can help small businesses and organizations get off the ground and securely storing their company logins. Bitwarden runs Live Weekly Demos and has many videos that explain the setup process for teams in detail. I would recommend having one individual within your organization do most of the training and learning at the start and then having that individual move forward with teaching everyone else.
But if even the thought of having someone from your organization take on the task of getting trained seems daunting or near impossible, then it might be time to hire some help. I’ve not only been using password managers but also teaching others how to use them for years. I’ll gladly work with you to get a password management system implemented. Just use the form below to get in touch with me and we can book a time for a quick consultation.
Take care and stay safe,
Joshua