Along with their clear benefits, online collaboration tools also carry well-documented risks. Namely, in addition to the risks that are largely specific to collaboration tools, they also increase an older, well-known risk: credential leaks. That is simply because all of these services require a password to log in, thus increasing the total number of passwords any given employee needs.
These days, each team member needs access to corporate e-mail, an instant messaging program, and a project management system — at the least. Some employees need access to website administration tools and corporate social media accounts, of which there is usually more than one. Some work with advertising, which means they need access to social media ad-management tools. Some work with graphics, some with accounting records. Essentially, a modern company may have quite a lot of credentials for various services and cloud applications, and the smaller the business is, the more accounts a single person may have to manage. And though it is tempting to use one password or variations on one password, there is no situation in which you ever should.
What is wrong with using one password for all services
The advice not to use the same password everywhere is not new. It has not lost its relevance with time – in fact, if anything, it’s gotten even more acute. Have you ever heard of the Have I been pwned project, which checks for login credentials in breaches? You can use it to find out if your password has been leaked. At the time of this writing, the number of accounts in the website’s databases is getting close to 10 million. The service uses only publicly available databases of leaked accounts. That means cybercriminals with access to this kind of information (not only from open sources, but also from hacker message boards on the darknet) are likely to have significantly larger collections.
That means by picking a target — that is, obtaining its e-mail address, which doubles as the login in most cases — a cybercriminal can find out other passwords that are associated with that address and have been leaked. If the hacker notices that an employee uses the same password for all services, or identifies the pattern used for varying the passwords, then learning with what other services the victim is registered takes just a simple look-up. Plenty of services on the Web can help them with that; we explain in “How cybercriminals harvest information for spear phishing.”
Why writing passwords on sticky notes is a bad idea
Using one password is risky, and your memory’s capacity is limited, so you will obviously need a way to keep your passwords safe and retrievable. You guessed it: We are back to discussing sticky notes with passwords. Now, normally, we emphasize the threat of casual visitors or coworkers finding your passwords. These days, however, selfies add another dimension to the threat.
The abundance of digital platforms and social networks where you can post a photo or video has led to people constantly taking pictures of themselves, showing off a new hairstyle, T-shirt, or location. Even if you don’t do that, if you have a selfie enthusiast in your open plan office, then your coworkers, their screens, their cacti, and their passwords might end up in the pictures. In addition to that, many companies now photograph their office activities and post them in their official channels, just to highlight how human their brands are. These photos and videos might also contain sensitive data.
How to securely store your passwords
A notepad is not much better than a sticky note; you never know when it might get photographed. That is why we recommend using a password manager. It reduces the number of passwords you need to remember to just one, and you can make that master password fairly complex. Just make sure you do not use it anywhere else.
About a week ago, we released a new version of Kaspersky Small Office Security, a solution specifically designed to meet the needs of small businesses. It incorporates licenses for Kaspersky Password Manager for each protected computer, and it not only stores credentials and other sensitive information securely, but also generates complex passwords for services and applications. You can learn more about the product and purchase it on the Kaspersky Small Office Security page.