The secure handling of passwords in companies

Many organizations, especially those that operate in the technical and digital space, require continuous communication and sharing of online files. As a result, account sharing is often required in a collaborative work environment. This means that employees must find an easy way to share access and passwords with each other - preferably without the risk of exposing the company to a cyberattack. A message through a messaging service or an email to a colleague may be the quickest way to share passwords. But it's an insecure and risky way that puts the entire company at high risk from cyberattacks.

The secure way to exchange passwords

At Cybersecurity Census Report 2022 Keeper Security found that only 13 percent of the companies surveyed in Germany are best equipped with a system for identity control, 56 percent provide their employees with at least some guidance, and 31 percent leave identity control, including the handling of passwords, to their employees. Either not everyone seems to be aware of the risk or it is accepted.

The most secure way to store and share passwords is with a password manager on a password-protected device. Password managers often offer multiple layers of encryption, making it virtually impossible for cyber attackers to find what they're looking for in a readable way. With zero-knowledge encryption, no one but the user can see the data - not even the password manager provider and not even an attacker.

Some password management tools, especially for enterprise use, offer secure sharing features. These make it easy to grant employees shared access without revealing username and password details. Also desirable in password managers is multi-factor authentication (2FA/MFA), which can be enforced at the role level. In general, it is recommended to enable 2FA/MFA on all platforms to improve the security posture of the company and teams.

Risky methods for sending and storing passwords

Password sharing is widespread among Internet users inside and outside the workplace. A survey by The Zebra, NBC News and the Pew Research Center. found that 79 percent of users admitted to sharing passwords with someone outside their home.

Companies that do not use a password manager may be using insecure methods to store and share passwords. This can lead to financial losses and an increased risk of a cyberattack. In the Cybersecurity Census Report 2022, the impact of a cyberattack in Germany alone was between €10,000 and €49,999.

Six methods to avoid when dealing with passwords

Users who do not have access to the functions of a good password manager use many different methods to exchange secret access data with each other. Under these circumstances, it is not possible to ensure that only those who are authorized to have access to passwords have access to them, nor is there any guarantee that the secret access data will not fall into the hands of unauthorized third parties. Six of the most popular and risky methods are:

• Online documents: Apple Notes, Google Docs, Microsoft Word documents, and other online note-taking programs are easy ways to jot down information, but these tools were not designed for storing and sharing private credentials. In Keeper Workplace Password Malpractice Report 2021 49 percent of respondents confirmed storing work-related passwords in a cloud document. 51 percent store passwords in a document on their computer and 55 percent store work-related passwords on their cell phones. Although some documents can be password protected, many document software platforms do not offer encryption, two-step verification or other additional security measures. An unauthorized user who manages to get their hands on or hack a device can easily copy the document and send it to themselves, gaining access to all the information contained in the file.
• Emails: Emails are one of the most popular forms of communication in the workplace. They are usually sent in plain text and without encryption. If an email inbox is compromised, unauthorized people have full access to passwords sent via email. In addition, passwords sent via email often pass through multiple systems and servers, and there is a copy in the "Sent" folder. And even if emails have been deleted, the emails may be stored in other folders on the account, such as the "Deleted" folder. Emails that are stored locally on the device's hard drive rather than with the provider are subject to additional risk from potential theft of the laptop, tablet or cell phone.
• Text messages/SMS: Similar to email services, there is no security with text messages. The text message can be read by anyone who can intercept it. Again, if a mobile device is not password protected and falls into the wrong hands, the unauthorized user will gain access to all private conversations and messages. The same applies if the device is compromised.
• Online messenger: WhatsApp, Slack and Microsoft Teams are popular tools for communication between employees for quick project updates or casual conversations. Although many of these cloud services are encrypted, the applications on the devices usually remain open or running in the background. If the device is used in a public environment and is partially unattended, anyone can access the passwords within seconds. For example, in June 2021, a group of cybercriminals used Slack to get an employee to help them break into EA Games. The group managed to acquire stolen cookies, which they used to gain access to an EA Slack channel. Then they sent a message to the IT support members claiming that they had lost their phone at a party.
• Physical documents: Writing down passwords in a notebook or on a piece of paper may prevent cybercriminals from accessing credentials. However, credentials can easily be stolen by an unauthorized person in the offline world. Writing down credentials and sharing them in the office is also dangerous if the physical document is lost.
• Verbal sharing: Even though a face-to-face conversation with a colleague eliminates the classic paper and online danger, it carries risks because the login data can be spoken out loud and thus overheard. In addition, passwords are usually not particularly secure with this method, as special characters that are occasionally not found on the keyboard may not be included in the password. Another, albeit minor, danger is that the conversation is recorded.

Further information: KeeperSecurity.com