It’s some of the most common security advice on the internet: Never use the same password between different accounts.
That’s because despite all the attention paid to hackers exploiting so-called “zero-day” exploits, or previously undiscovered security holes, plenty of prominent digital attacks still rely on stolen passwords. Video streaming site Vevo was recently hacked through one-click login app Okta after a “LinkedIn phishing scam,” publishing giant Conde Nast has recently warned employees about such attacks, and electric companies have been struck by targeted phishing aimed at getting access to the power grid. The Anti-Phishing Working Group, an international organization, says that phishing scams increased 65% between 2015 and 2016.
And while the recent mammoth Equifax hack apparently didn’t involve stolen credentials, the company reportedly had a similar issue in Argentina: An employee site could be accessed using the word “admin” as both username and password.
Using the same usernames and passwords across multiple sites increases the danger from stolen credentials, since hackers can use the same login information to steal data from multiple sites. But duplicating credentials is still a common practice, since passwords can be a pain to remember, and employers using third-party cloud services often lack technical ways to impose stricter password requirements than whatever those services have by default.
That’s why Dashlane, the New York-based company behind a password management program of the same name, is rolling out a new feature to alert administrators when their corporate users share passwords between accounts or utilize ones that are easy to guess.
“As far as we know, it’s the only way a company today can enforce a password policy, by having that understanding and visibility to know if it’s even being followed,” says chief marketing officer Jeff Paradise.
Dashlane, which like other password managers stores encrypted versions of passwords for other sites that are accessible only when a user unlocks them with a memorized master password, doesn’t share the risky passwords with administrators or anyone else, Paradise explains. Instead, it simply delivers them the statistics on how many such passwords a user has.
“It’s pretty eye-opening,” Paradise says.
A recent survey of more than 500 IT administrators and other workers found that about 46% of employees use personal passwords for company accounts, according to Dashlane. And 20% of employees surveyed said they weren’t sure whether their companies had password policies, while nearly a third said they didn’t know whether they were in compliance with their employer’s standards.
The new version of Dashlane, Dashlane Business 2.0, also offers support for what it calls Smart Spaces, which lets users store passwords for both work and personal accounts, and lets administrators manage groups of users’ access to company accounts.
The accounts are automatically segregated, so companies can’t see what personal credentials their employees are storing. That’s something that neither workers, mindful of privacy, nor their bosses, worried about liability, want. “The company has no visibility into the personal space whatsoever,” Paradise says.
Dashlane, which says it has 8 million consumer users, isn’t the only cross-platform password manager. Some, like Dashlane and rival LastPass, automatically store and sync passwords encrypted on their own cloud servers. Others, like the open-source tool KeePass, let users manage that data in files they control, synching it via Bluetooth or with a cloud storage tool like Dropbox or Google Drive.
Single Point Of Failure?
Users are ultimately reliant on password manager software and servers to keep their data safe: If the encrypted data is somehow compromised, hackers could gain access to all of their accounts. Password managers OneLogin and LastPass have both suffered breaches in the past where hackers gained access to user data, though software companies typically emphasize that since passwords are stored encrypted, hackers are unlikely to be able to steal them in usable form.
The master password is also a potential failure point for such software, since an attacker who steals or guesses it can get passwords for all of a user’s accounts, and if it’s forgotten and not backed up, the user might have trouble accessing their own accounts. With the new version of Dashlane, if business users forget their master passwords–a fear of some password manager users that can cause them to, ironically, store those passwords insecurely–they can be recovered with the help of their corporate IT department.
Instead of encoding account passwords directly with an encryption key tied to the master password, the system generates keys for each of a user’s devices, then encrypts those keys using the master passwords.
Backup copies of the keys are also stored separately encrypted, so they can be recovered with the user’s permission and an administrator account, Paradise says. It’s part of the company’s effort to create a tool that employers and employers alike will actually be willing to use, which Paradise says is often one of the more difficult aspects of any security policy. Seven thousand companies are now using Dashlane software, he says.
“The hard part is you have to put a tool in front of employees that’s easy to use,” he says.