It’s January, and 2024 is already seeing two major security announcements with wide-scale implications for security teams. While these announcements may seem disconnected at first, they highlight the continued importance of good password hygiene, and ensuring that employees are protecting themselves online inside and outside of the workplace.
Here’s the TL;DR.
Two significant security announcements have been reported:
- Microsoft email breach - State-backed Russian hackers broke into Microsoft’s email system, including access to the accounts of senior leadership members and the company’s cybersecurity team. The hackers were able to gain access by using “password spraying” and used a single, common password in an attempt to login to multiple accounts.
- The mother of all breaches (MOAB) - A massive database built from previous breaches, leaks, and private databases across a wide range of business and consumer sites from Twitter and LinkedIn to Adobe and Dropbox has been released by an unknown source. This breach is composed of roughly 26 billion records, and is being referred to as the “mother of all breaches.”
In the Microsoft case, it appears only the company’s internal systems and operations were compromised. This exemplifies how no matter how sophisticated your company is, or how powerful your enterprise security tools are, you’re still at risk from something as simple as a compromised password.
For MOAB, the range of companies included implies that if you have used ANY of the 3,800 services or apps whose data is included in the database, you are at risk. This breadth is astounding and especially highlights the risk of using the same password across services both personal and professional.
The thread between both? Passwords. Anyone that has simple or common passwords, or reuses credentials across personal and business accounts, is creating risk for themselves and the organization they works for.
What you need to do immediately
In the short term, enterprises should review the list of companies compromised by MOAB, decide which ones pose a significant security risk, and then encourage employees to update their usernames and passwords for those sites – especially in the case that multi-factor authentication (MFA) is not in use. Wherever possible, ensure employees are implementing MFA or, even better, adopting passkeys to ensure strong authentication practices.
You should also suggest that employees rotate any passwords that are used to access single-sign on (SSO) services, as they often represent the “keys to the kingdom” for employees and teams.
If you’re a 1Password Business customer, you should encourage your employees to:
- Make sure that Watchtower is “on” for both your personal and business accounts.
- Open their 1Password application and check Watchtower for any alerts or flags on existing accounts.
- Go to the appropriate websites and update any compromised accounts.
- Where possible, encourage employees to use MFA at a minimum, and to use passkeys as the ideal state.
If you’re not a 1Password customer, you should encourage your employees to:
- Go to Have I Been Pwned and check if any of their data has been compromised.
- Go to the appropriate websites and update any compromised accounts with strong passwords with 1Password’s free password generator.
- Consider purchasing and implementing an enterprise password manager to ensure that strong password policies can be easily implemented across your organization (or you can simply try 1Password Business for free for 14 days).
What you need to do going forward
Long term, the challenge is it’s no longer enough to focus solely on changing behavior, nor is it enough to just put up additional defenses around your organization. You must do both. That means providing tools that are easy and convenient to use (which drives adoption) and further secures your company (such as MFA and passkeys). In terms of passwords, taking this approach requires:
Using an enterprise password manager, such as 1Password, to streamline the creation, management, and usage of strong, unique passwords across your entire organization.
Implementing password policies that require unique, strong passwords for every employee login.
Requiring multi-factor authentication where possible, as strong authentication is the first line of defense against breaches.
Beginning to use passkeys as a safe password alternative that makes credential stealing impossible.
Auditing your password risk with a tool like Watchtower.
How 1Password can help
1Password provides an enterprise password manager (EPM) that can streamline how passwords are created across your entire organization, and ensure that safe, unique passwords are created for every employee credential.
1Password’s offerings provide critical functionality to prevent and detect breaches. Highlights include:
- Simplified creation and management of strong, unique passwords for every employee.
- Secure sharing of credentials across teams.
- Alerts when credentials have been compromised as part of an attack with Watchtower.
- Protect your (and your customers’) data with simple and straightforward implementation and management of passkeys with Passage by 1Password.
- Enterprises that use 1Password also get a free family account for every employee, helping to ensure that passwords are not reused across personal and business accounts.
While it’s not possible to prevent 100% of breaches, it is possible to arm your employees with the tools they need to break their bad password habits. Or even better – as in 1Password’s case – provide your team with a tool that will also be easy to use and easy to adopt.
To learn more about 1Password, contact us today.