Bluefin Chief Innovation Officer, Ruston Miles, discusses the pros and cons of password managers – and how passwords fit into the “Devalue the Data” approach to payment security.
The age of Internet hacks has ushered in a new level of paranoia when it comes to storing personal information online. Everything comes protected in layers of passwords and, while that’s a good thing, it also tempts many people to use the same simple usernames and passwords time and again.
But relying on the same password for multiple sites leaves you vulnerable to cyber attacks that could compromise sensitive information. It’s important to create strong, unique passwords to protect your information from security breaches, but for the average person with more than 25 online accounts, this is no easy task.
Random unique combinations are hard to remember, and writing them down or storing them in a document on your computer defeats the purpose of using strong passwords in the first place.
That’s where password managers come in. These websites, like DashLane and Roboform, are intended to “remember” for you, storing your password information in one place and securing your encrypted data with a master password you create. It’s the only password you have to remember.
These sites can also generate random passwords for you, audit your passwords to check for weaknesses, auto-fill online forms, and store other confidential information, like credit card numbers, insurance information, and more.
All Password Managers Are Not Equal
Before you add your entire life to a website, determine if your information is thoroughly protected.
When you use an online password manager, you have a lot riding on the application’s integrity. Password sites promise to store your information securely, but how can you tell which ones will truly protect your data? We’ve already determined that “hack-proof” doesn’t exist, and high-level breaches at Anthem, Target and Home Depot, among others, have us wondering if any system is actually safe,
Digital password managers are particularly appealing to hackers, because cracking one is more time-efficient than going through and finding passwords account by account. Although these sites are targets for tech-savvy bad guys, most password managers do a decent job of protecting your data from outside attacks.
Password sites encrypt your password database, and there’s only one key to unlock the information — a master password you create. And because the companies don’t have your master password, even if their servers are hacked, your information is still safe.
Your Password Manager is only as good as Your Password
Theoretically, anyway. Your information on these sites is only as secure as your master password is strong. If you choose an obvious combination, like family members’ names or birthdays, or rely on dictionary-based words to create your master password, your information may not be as safe as you’d like.
Take the yet-unpublished assessment by Verizon on “what” happened with Target. Brian Krebs reports on September 21st:
“Default passwords in key internal systems and servers also allowed the Verizon consultants to assume the role of a system administrator with complete freedom to move about Target’s sprawling internal network.
“The Verizon security consultants identified several systems that were using misconfigured services, such as several Microsoft SQL servers that had a weak administrator password, and Apache Tomcat servers using the default administrator password,” the report observes. “Through these weaknesses, the Verizon consultants were able to gain initial access to the corporate network and to eventually gain domain administrator access.”
Within one week, the security consultants reported that they were able to crack 472,308 of Target’s 547,470 passwords (86 percent) that allowed access to various internal networks, including; target.com, corp.target.com; email.target.com; stores.target.com; hq.target.com; labs.target.com; and olk.target.com.”
At Bluefin, we advocate the “Devalue the Data” approach with PCI-validated Point-to-Point Encryption (P2PE). That doesn’t minimize the importance of passwords and firewalls – because there is no silver bullet to security – but wouldn’t it be nice, if there was a breach, for a hacker to find no information of value? That’s where encryption technologies like P2PE and tokenization come in.
If you want to move past the personal information and are interested in a partner to protect your business data from security breaches, a holistic approach to data security goes a long way in protecting your information.
Ruston Miles is Bluefin’s Chief Innovation Officer. He is a PCI Professional (PCIP), Certified Payment Professional (CPP), Certified Internet Business Strategist (CIBS), and an active participant with the PCI Security Standards Council. Today he speaks at the Merchant Advisory Group Annual Conference on PCI’s New P2PE 2.0 Standard: What it means for Major Merchants.