Cybersecurity 101: Password managers and 2FA

What your business should be doing today

Fledgewell Team
Monday 24 August 2020
Lock Green Door

Business leaders are more aware than ever of the the threat posed by cybersecurity failure. What really causes sweat to rise, however, is the sense of powerlessness - especially for CEOs from a non-technical background. The sinking feeling remains that it's just horrible luck if a murky hacker turns their attention your way.

The stark reality is that most forms of cybersecurity failure result from not from technical wizardry but simply from account credentials getting into the wrong hands. This is as true for individuals as it is for companies.

The good news is that there are 2 pieces of low-hanging fruit which go a long way to providing protection against the threat. The bad news is many businesses (startups and SMEs especially) are not implementing them.

Password Managers

There are several ways for a password to get into the wrong hands, but the most likely are that the password is easily guessable (very short, common password, etc.) or because the password is repeated across many services and so if just one service is successfully attacked, your are vulnerable everywhere.

Password managers solve both of these problems. They will generate very strong, random, unique passwords you can use for your various online accounts, and encrypt them. To retrieve a password, it is only necessary that you or an employee knows their own (not shared) master password and uses a device which has been granted access.

This is not just a vast improvement, it is also a quicker workflow. Most quality password managers come with OS and browser extensions, allowing you to quickly populate online login forms. Even more so if your computer has Face ID or a touchpad (same goes for phones).

Employees can be given access to a limited number of passwords - only those they need to do their job. Furthermore, when they leave a company it is very easy to see exactly which accounts they had access to and thus which to change.

Keys In Door

Two Factor Authentication

Almost certainly you will already be using this with some of your accounts. You should be, especially for critical ones such as your primary email. The premise is simple: as well as your password you need something else - the second factor - to access an account.

With 2FA, even if someone knows one of your passwords, they still can't access an account without your other one.

Most commonly the second factor is an SMS sent to a phone. Unfortunately this is the least secure method of all. Whilst still better than no 2FA, SMS is not a particularly secure communication channel. Moreover, it is far too easy for hackers to persuade phone companies to switch your account to a new sim card, know as SIM-jacking.

Better is a dedicated authentication app (e.g. Authenticator or Authy) on your phone, which will work with most accounts. You can even use your password manager to store 2FA as well. This is by far the most convenient approach, though it is only useful insofar as the processes around your password manager are secure.

Either way, implementing a policy enforcing 2FA access for all employee accounts is an easy win for your cybersecurity.