never guess her passwordPasswords are a necessary evil in our online and digital world.  There are lots of tools out there that help us deal with them but you have to use them every day in some way unless you are completed unsecured or off the grid.  LastPass recently released an interesting report about the use of passwords.  Let’s see what new trouble we can find in these details about our daily password battle and discuss some options we have found for dealing with them.

HIPAA For MSPs by David Sims Passwords Are A Necessary Evil
00:00:00 00:00:00

As we have mentioned many times we both are users of LastPass and have been for years.  We don’t get anything special for telling everyone to use them, though.  The report they recently released, The 2018 Global Password Security Report, they make this statement.

Much like our 2017 report, The LastPass Password Exposé, this report represents organizations of all types and sizes across nearly every industry. Compared to last year, the data set has grown significantly and allows us to draw a more precise picture of password management. Though the data only reflects LastPass users, we’ve broadened our conclusions for the IT community at large.

What is interesting is that they are taking things a step further with the data to help the community at large have something to reference when making decisions and setting policies.  Some of the information wasn’t a surprise at all like Healthcare sucks at it.  I think there are still some valuable lessons we can use in here, though.

First, let’s understand how LastPass scores security of passwords in their system.  They use an algorithm that looks at several factors.  The LastPass Security Score is calculated using the following criteria:

  • The number of duplicate passwords
  • The number of sites marked “vulnerable” (due to publicly disclosed data breaches)
  • The number of weak passwords
  • The average strength of each password
  • The strength of shared passwords
  • The multifactor authentication score

This total score tells businesses not only how strong individual passwords are but how well those passwords are protected.

We have so much stuff in our accounts from family and clients it drives me nuts that my score isn’t higher than it is.  I am still in the top 11 percent at 67% but would prefer to jettison the dead weight and get a better look at where I stand.  LastPass doesn’t have that feature yet but I hope that add it soon.

What they had to say about industries is very interesting but, again, not surprising.

Since many Technology companies need to comply with privacy and data laws, it’s not surprising they lead the pack. What is surprising, though, is that heavily-regulated industries like Banking, Health, Insurance, and Government are not achieving comparable (or even superior) average Security Scores. And given that those industries – in particular, Health – are more frequently targeted by attackers, we would expect to see higher commitments to password security.

Yes, we know.  Health had an average security score of 49 out of 100.  That is an indication of just how much work there still is to be done in securing healthcare information!  Granted, the highest average was 53 for IT companies.  I think that will likely be hurt just like we are by all the accounts we have on file even though we don’t agree with what the password may be.

On just password strength healthcare was a score of 51.  You would think that with the requirements for passwords we would see that much higher but we all know why that can’t be.  We have to enter that passwords too often and too quickly when working in healthcare.

So what do we do about the password issues we keep seeing?

Multifactor authentication is one very important step forward.  We have explained this concept before and we encourage everyone to activate this tool anywhere that you can do so.  It is by far the easiest way to cut down on accounts being taken over due to bad passwords.  Is it perfect? No.  There are ways to hack it too.  However, you just have to be faster than the other guy not faster than the bear.  With a long list of accounts without multifactor available, they will just move on to someone else once they learn you have it turned on.  If you are a specific target then thing change but the most cases you will find include random selection as the starting point.

Other methods of authentication are catching on but they can be expensive.  Imprivata is the major player in the single sign-on space for healthcare.  Everyone sees them as the standard where you tap or swipe a badge to get logged into systems.  They are also priced that way.  We haven’t seen any small business be able to afford them yet.  Others are out there though.  One that we have been testing and working with for a few years is very promising and offers a pricing model that is more in line with the size of businesses we usually work with.  The company is Untethered Labs and their products are under Gatekeeper name.  The latest versions of their tools are very impressive.  I use their Halberd on my desktop just so I don’t have to always enter my long password.

It is important to note that these tools still have 2 factors that are used to log into accounts.  You must have the device and a password.  I still see folks in hospitals grumble and enter a password from time to time.

Another player making moves in this space is Okta.  They are a cloud single sign-on solution with a lot of cool features.  You have one login to their system and then they have connections to thousands of sites and apps already set up.  They also have APIs to allow vendors to tie into their platform.  It is growing pretty quickly and may be a way to solve the problem in a different way.  In fact, it showed up in the LastPass report as one of the top 30 websites accessed by businesses.

No matter what you choose you must find a way to stop using 8 character passwords that everyone knows and uses for every site.  This is not the time to stick with what you always did because it works.  If there is a problem with increasing the complexity then you have to fix that problem not keep simple passwords in place.  For some fun check out the calculator on this site.  It shows you the maximum time it would take to crack your password in 1982 processing all the way up to 2020.  You can bet that the numbers are dramatically different.

The password won’t be going away any time soon.  Until we have affordable retina scans we don’t have a chance at making it super secure.  Even then, what will you do when you need to log into your parent’s account to fix something they have done!