In an era of connected devices, manage your password like a CISO
Mon 15 Jun 2020 | Charles Poff

Charles Poff, CISO at SailPoint, details the CISO approach to password management
As many of us stay home, we are relying more than ever on apps and online services to stay connected. But recent headlines have highlighted that the vulnerabilities within apps downloaded to our devices can leave them open to exploitation.
To add fuel to the fire, even the very connected devices we use are susceptible to attack. High profile breaches have come to light over the past year, notably a hacker being able to talk to a young girl via a home security camera in her room.
For organisations, this presents significant challenges when dealing with internal security. With the traditional security perimeter already weakened as a result of mass working from home, it’s crucial steps are taken to ensure the devices and online platforms we use to work remotely are robust and secure.
Part of this comes down to protective measures taken by users themselves. Cyber criminals often gain access to devices and accounts via unprotected logins. In January, for example, a hacker published a huge list of Telnet credentials for over 515,000 smart devices, servers and home routers, citing devices’ factory-set default usernames and passwords, as well as custom but easy-to-guess password combinations, as reasons behind the successful breach. And recently, the National Cyber Security Centre warned owners of smart cameras and baby monitors that cyber criminals can access these devices if users don’t change their default passwords.
While it may feel tediously repetitive, talking about passwords is a critical part of your cybersecurity no matter the expert level. As we use more tools and technologies to keep us connected, the stakes are even higher, with more opportunities for hackers to compromise passwords and open the floodgates. So, whether you are a password newbie, expert or somewhere in between, there are steps we can all take to manage our password like a boss (and a CISO).
Password Novice
While taking baby steps to strengthen your password game, you might not know where to start. Here are three fundamental best practices to get you on the right track. Firstly, keep it long—the longer and more complex the password is, the safer you will be.
Secondly, be unique—the best thing you can do is make all your passwords unique at every site. Do not reuse these. Using the same password for multiple accounts puts you at greater risk of hackers succeeding with logging into these other accounts. This doesn’t just put you at risk – if you’re using the same password across accounts related to personal and work activity, it means your organisation’s sensitive data could become compromised too.
Finally, be mindful—always be aware of your whereabouts on the internet and take specific note of anything or anybody that has asked you to log in. Once you have mastered these three steps, you can move to the next level.
Password Competent
You might know what constitutes a good password, however you are still doing a few things that mean you’re not a master… just yet. There are two recommendations I have for you as you start to take passwords more seriously. The first is to start looking into a password management tool.
There are a ton of useful commercial tools and solutions that help make this overall process of keeping long, complex, and unique passwords manageable. The second recommendation is to check your passwords regularly against an up-to-date list or database of exposed passwords. While a password might be safe at the time it was created, it could become compromised at a later point. If the latter occurs, it’s important for users to then change their password in favour of a more secure one.
Password Pro
So, you’ve mastered the password and you’re a model student. But did you know there are even more steps you can take to ensure your security?
Consider for a moment, biometrics. This comes from the idea that the best password to use is the one you don’t need to use. Biometrics may be a radical idea for beginners and people who are middle of the password road, but that is the next step for pro status. The concept of biometrics is using your fingerprint, face, or voice to gain access to your sensitive data. This creates a significantly safer environment as they are much harder to manipulate than passwords, two-step identification and two-factor authentication. To me, the use of biometrics is the future for passwords, but we have a while before we are all fully on board. You also don’t have to use biometrics to forgo passwords in some instances.
There’s no doubt that poor password practices provide an opportunity for attackers to quickly get access to whatever they want. This is only set to worsen unless proper action is taken. And while we can debate the longevity of passwords, the fact is they’re the most widely used and accepted means of authentication. Passwords are here to stay. Be your own boss and protect yourself and your organisation, one password at a time.