8 steps to protecting login credentials

How many passwords does the average network administrator have? The average end user? Plenty. What can you do to protect those passwords? How do you educate users on protecting their credentials?

A recent article in Mashable revealed that an attacker found the credentials for several internal Twitter systems on a company Slack account. If this is true (there are conflicting reports of the source of the hack), it points out that network administrators don’t protect credentials well. If network administrators don’t, it’s probably safe to assume their users don’t either.  

What can you do to help your network administrators and users better protect their credentials? It comes down to education and awareness.

Build resistance to social engineering

Educate both network administrators and end users about the impact of phishing and how attackers design attacks to go after our weaknesses. They will use social media to learn who holds what roles in the organization and whom to go after. Famed hacker Kevin Mitnick once used a Washington State book that listed company CEOs and their executive assistants to gain access to the companies. Warn users to limit their social postings in public locations to avoid exposing information to attackers.

Protect information used in credential verification

Warn your users not to answer survey questions on social media locations. Often these “random questions” are built from typical password reset questions or password verification processes. If you’ve ever answered a Facebook post about your first job or your favorite car, attackers can accumulate a database of password reset answers.

Train users to recognize a branded landing page

If you use Office 365 or Microsoft 365, I recommend using branding to help educate users on the proper password landing page. Attackers are harvesting business images and using them to trick users into thinking they are providing credentials in the right place. To have a better landing page, you will need an Azure P1 or a Microsoft 365 Business Plus (which includes P1) license to do this. To set up company branding, select “Azure Active Directory,” then “Company branding,” and then “Configure.” You can now select settings for icons (including banner logos), background images, and username hints.

Encourage the use of passphrases

Educate on the choosing of passphrases rather than passwords. We are horrible at choosing passwords. Even in 2019, the most-used password was 12345. Let applications generate strong passwords if possible. Encourage users to have password manager programs for their personal use and educate on their uses. For business, you may need to evaluate programs to determine which one meets your firm’s security mandates. There have been historical issues with web based password manager programs introducing risks. Evaluate carefully and review the recommended password management programs on an annual basis.

Train uses on multi-factor authentication

Educate on the use of multi-Factor authentication (MFA) for applications, remote access, email, or any other login credential. Microsoft 365 with an Azure P1 license lets you add whitelisting to exempt locations from two-factor authentication. You can limit MFA to users with more risky remote access. The feature is called “named locations.” From the Azure portal, select “Azure Active Directory,” then “Conditional Access” from the “Security” section. On the “Conditional Access” page, select “Named locations” and then “New location.” In the “Name” box, type a name for your named location. In the IP ranges box, type the IP range in CIDR format and select “Create.”

Teach staff to recognize safe websites

Educate on how secure websites work and look. When users browse to a website and enter credentials, they face a daunting decision process. Is this site safe? Are they entering their credentials into a proper location? Educate users about what the normal processes and prompts should be like.

If you have a proxy filter or cloud service that may intercept your browsing traffic and provide blocking processes, set up the cloud service to provide actionable information to end users so they know if the website action they are trying to do is appropriate. For example, if your web filtering software blocks certain sensitive sites, ensure that the blocking communication clearly states that your firm’s actions are behind the blocking process.

Educate users on what processes to look for when entering sensitive information. This used to be easier, but with the advent of search engines mandating SSL as a means for private browsing, it’s harder to determine which sites are safe. Have a process of vetting that may include sending the URL through an approval process. You might wish to limit browsing to only approved websites.

Train on the proper use of computer equipment

Users and network administrators should never use computer equipment from unknown locations to access corporate access. The kiosk computer in the hotel business center where you just printed out your airline boarding pass should never be used to access corporate assets. I still remember a widely reported security story where someone placed keylogger tokens on the computers in Kinkos in New York and collected 450 banking credentials as a result of this sniffing attack.

Administrators and users should be aware of their surroundings when entering passwords. Someone could, for example, look over the shoulder of a user in front of you on an airplane and see what they were working on and possibly even catch their password.

Deploy additional credential processes if necessary

Windows Hello for business is based on new type of user credential that is tied to a device and uses biometric authentication or a PIN. Windows Hello lets users authenticate to Microsoft, Active Directory, Microsoft Azure Active Directory (Azure AD), or identity provider services or relying party services account that supports Fast ID Online (FIDO) v2.0 authentication (in progress).

Windows Hello for Business is more secure than Windows Hello Convenience PIN. It can be configured by Group Policy or mobile device management (MDM) policy. It always uses key- or certificate-based authentication. To set up Windows Hello for Business, review your hardware to ensure it has the needed TPM chips and other requirements before implementation. You can deploy these solutions with software-only implementation, but the process is typically more straightforward with laptops and desktops that are designed for the implementation.