In the aftermath of the data breach at Linkedin last month in which over 6.4 million hashed passwords were stolen, we had highlighted the implications of such password compromises in general:
“How does a data breach in one site affect end users?
It is quite common for users to use the same login credentials in multiple sites – social media and other applications. Still worse, some users tend to use the same password for all accounts – right from email accounts, social media to banking, brokerage and finance accounts.
If the password gets exposed in one of the sites, just as it happened in this case, in all probability, hackers would be able to easily gain access to your other accounts too”
Now comes the report about the security breach in Dropbox. Passwords stolen from some other site had apparently been used to access accounts in Dropbox. The password of an employee of Dropbox was one among the stolen passwords. Hackers exploited that and gained unauthorized access to a document in Dropbox containing hundreds of email addresses. Thereafter, some Dropbox users in Europe started receiving spam emails to the address associated with Dropbox. In a blog post, Dropbox VP of Engineering has stated:
“Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.
A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam”
So, it has become evident that in this era of online applications, it is always prudent to have unique passwords for every website, application and supply it ONLY on that site/app. When there is a news of password expose or hacks, you can just change the password for that site/app alone. In addition, you should follow the practice of frequently changing the passwords.
The Dropbox blog post also stresses the dangers associated with password reuse:
“We strongly recommend you improve your online safety by setting a unique password for each website you use. Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk”
But, here comes the problem: You will have to remember multiple passwords – sometimes in the order of tens or even hundreds. It is quite likely that you will forget passwords and at the most needed occasion, you will struggle logging in.
The way out – Use a Password Manager!
Just as you have an email account, you should consider using a password management application too. To combat cyber-threats, proper password management should become a ‘way of life’. Password Managers help securely store all your logins and passwords. In addition, you will get an option to launch a direct connection to the websites / applications from the password vault’s GUI itself. You need not have to even copy and paste the passwords. Just click the link and you will be logged in. Only after deploying a Password Manager, you will realize how easy it is to eliminate password fatigue and security lapses.
Enterprises should also wake up
As stolen identities serve as the ‘hacking channel’ for most of the cyber-criminals, analysts generally believe that improper management of the Administrative Passwords, which are often aptly referred as ‘Keys to the Kingdom’, is at the root of many security threats.
Passwords of enterprise IT resources are often insecurely stored in volatile sources like spreadsheets, text files and even on papers. The haphazard style of password management makes the enterprise a paradise for hackers – internal or external. Unfortunately, enterprises generally do not tend to attach importance to this crucial aspect of administrative password management until a security incident or identity breach rocks the enterprise. This negligence often proves costly. Many security breaches actually stem from lack of adequate password management policies and internal controls. Most of the security incidents are actually avoidable by placing access restrictions and well-defined password policies.
One of the effective ways to achieve internal controls is to deploy a Privileged Password Management Solution that could replace manual processes and help achieve highest level of security for the data. Privileged Password Managers help in securely storing the privileged identities in a centralized vault, restrict access to the identities and automate the identity/password management activities. This will help organizations to take total control of the privileged identities.
Password Manager Pro – An absolute necessity
ManageEngine Password Manager Pro is an enterprise-class privileged identity and information management solution, trusted by scores of administrators worldwide. It comes in handy to secure all types of passwords – enterprise and personal.
The original article/video can be found at Dropbox hack unveils the absolute need for Password Managers!