Pub. 9 2018 Issue 2

www.wvbankers.org 22 West Virginia Banker Password Managers A More Secure Way to Manage Passwords I ntroduction. There are an increasing number of prod- ucts and services available to financial institutions to serve customers and to make the customer’s banking experience easier. Financial institution customers also have an increasing number of online sites that are used on a daily basis, many that ultimately require the use of credit cards and or bank account information. With every one of the new products and services comes additional security risks and concerns. Financial institutions have a fiduciary responsibility to protect customer information as well as financial institution sensitive data. One of the ways to protect sensitive information is through the use of unique user codes and passwords. Challenge. Different organizations or solutions have dif- ferent requirements when using passwords. Unfortunately, many times these requirements are not the same from organ- ization to organization or from solution to solution. Some of the requirements include the following: • Change frequency • Minimum password length • Maximum password length • Password complexity (alphanumeric, upper case, lower case, special characters) • Password history controls (determines when a previous password can be reused) • Account lockout for invalid access attempts Over time, the volume of passwords that users have to re- member, along with the password policy requirements, results in many users implementing insecure solutions to remember passwords that could compromise the overall solution. Passwords in the Real World. How many passwords does a typical person have to remember? According to a report from LastPass, the average business employee must keep track of 191 passwords. The same report indicated that 81% of confirmed data breaches are due to passwords. In addition, the report indicated that the average 250 employee company has 47,750 passwords in use. Digital Guardian conducted a survey of 1,000 people about their password security habits. Digital Guardian discovered the following: • 70% of respondents reported having more than 10 pass- word-protected accounts online with nearly 30% having too many to count. • In the United States, the average email address is associated with 130 accounts. • 11% of consumers use the same password across all of their accounts. • 49% of respondents reported reusing passwords only for non-sensitive accounts. • 40% of respondents never reuse passwords. When asked how they remember their passwords the re- spondents answers included the following: o Reuse the same password o Write them down on a piece of paper o Keep them in a file on their computer o Keep them in a file in Dropbox or similar solution o Use a secure password manager While there are some positive trends, the volume of passwords that users are required to remember has resulted in using the same passwords for multiple applications. Using the same password for multiple solutions poses enormous security risk because when hacker(s) are able to compromise a solution or an organization, they often obtain user names and passwords. When a hacker obtains login information from a user who has re-used passwords, the hacker(s) are able to compromise addi- tional user accounts at other solutions or organizations. Password Security Best Practices. There are certain password security best practices that should be considered including (from the Digital Guardian survey): • Update passwords on a regular basis • Never reuse passwords • The use of passphrases as they can be easier to remember than passwords • Protect critical accounts with two or multifactor authentication • Never store passwords in plain text • Use a reputable Password Manager Password Managers. One method to assist in imple- menting the password security best practices is the use of a password manager. What exactly is a password manager? Password managers act as a digital gatekeeper to your pass- words. A password manager allows a user to securely store all of their passwords. The password manager acts as a vault for all of your passwords. All of your login data (user codes, passwords, challenge questions if you desire, URL address of the website, etc.) can be maintained in the password manag- er. The user only needs to remember one master password to access the password manager. The master password should be very secure as that password is the key to the vault. By Chris Joseph, CPA, CISA, CRISC, CITP, Arnett Carbis Toothman, LLP