State and local governments fuel our nation serving as the front line of our civil society. These administrations have a deep history of interconnectedness, working amongst themselves as well as across boundaries to share resources and information in the interest of the public good. All of this drives a heightened need for security.
Recent ransomware attacks place a spotlight on security awareness, including better password security. In June Bloomberg reported that hackers breached the Colonial Pipeline using a compromised password. Earlier this year we learned of the SolarWinds breach involving the undeniably insecure password of solarwinds123.
Specifically when it comes to the state level, Pew Trusts reported that,
Cyber attackers have forced states to take down websites, stolen $36 billion in unemployment payments and exposed millions of residents’ personal information to scammers.
Following the White House Executive Order on Cybersecurity in May, a memo from the Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology appeared in June. The subject line of the memo, What We Urge You To Do To Protect Against The Threat of Ransomware.
The memo sends a call to action to implement the best practices from the President’s Executive Order, identified as high impact and listed below verbatim from the memo:
Multifactor authentication (because passwords alone are routinely compromised)
Endpoint detection & response (to hunt for malicious activity on a network and block it)
Encryption (so if data is stolen, it is unusable)
A skilled empowered security team (to patch rapidly, and share and incorporate threat information in your defenses)
Regrettably, the phrasing of the first point “(because passwords alone are routinely compromised)” assumes a defeatist attitude towards passwords and puts weight on multifactor authentication which can at times be more to manage than a strong password.
While it is true that passwords alone are routinely compromised, however, when internet users employ a password manager, which generates long, complex, random, and unique passwords per site, the risk of a compromised password is significantly reduced.
Choosing long, complex, random, and unique passwords per site is nearly impossible for human beings. But it is easy for computer software like a password manager.
In a recent breach at the New York City’s Law Department, the New York Times reported,
But all it took for a hacker to infiltrate the 1,000-lawyer agency’s network early this month was one worker’s pilfered email password, according to a city official briefed on the matter.
While the exact details are unknown, it is very common for employees to reuse passwords that may have been revealed due to other website breaches, and then sold on the dark web.
Of course paraphrasing language similar to the White House cybersecurity memo the story continues,
But the hack was enabled by the Law Department’s failure to implement a basic safeguard, known as multifactor authentication…
Here too, the source of the incident was a pilfered password. Had the original password been long, complex, random, and unique, the situation may have been avoided. Multifactor authentication remains a critical security enabler, but should be addressed in concert with proper password management, and generating long, complex, random and unique passwords per site.
When it comes to security, we see that if people are not empowered with password management at work, they often default to less secure account protection.
From a state and local government perspective, consider the following when seeking a password management solution.
Ensure that your provider implements zero-knowledge encryption for all of your vault items and has comprehensive security and compliance credentials. Complete zero-knowledge encryption means that the password management provider cannot see any of the contents of your vault.
Find solutions that appeal to a broad user base, from technical to novice users. Password managers that are open source appeal widely to these audiences due to the engaged community that helps everyone achieve their best security posture. Technical users become engaged with the community and work to improve the product, and non-technical users can easily find supporting documents and helpful community Q&A forums.
Look for solutions that provide an easy path to get started and the scale to support larger organizations.
Password management is serious business, and sometimes organizations prefer to have an option to run their own solution. If this matters to your team, investigate up front.
Fortunately, it is fast and easy to start improving your organization’s security immediately. Bitwarden is a fully featured, open source password manager used by individuals and organizations worldwide. The Bitwarden password management solution is secure, easy to use, affordable and includes an option to self host.