Passwords alone are not enough to protect critical systems and data, says cyber security firm Fortinet. And with so many services and sites requiring their own unique passwords, users are turning to cloud-based password managers or online vaults to help. However, as such services store large amounts of sensitive data, this, in turn, makes them attractive targets, the security vendor says, adding that it’s best to bring in multi-factor authentication (MFA) too.
Vaults can be used to generate complex, random passwords and store usernames and passwords for online banking, email and social media accounts. These are generally encrypted for added security “and are almost impossible to crack” says Fortinet.
But the company warns that increasingly sophisticated hacking and decryption tools mean no system is 100% fool proof.
Doros Hadjizenonos, regional director for Southern Africa at Fortinet, says cloud-based password managers are attractive targets for hackers, given the large amount of sensitive information they hold. “Even the most complicated passwords, and passwords generated and stored in a ‘vault’ in the cloud, have the potential to be hacked or cracked.”
In December, it was revealed that popular password manager LastPass (formerly LogMeIn) was hacked and information stolen. According to a report in The Independent at the time, while the attackers got away with backups of customer data, the information that was encrypted before the attack will remain that way and prevent access… “to do so, they will need the master password that unlocks that encryption and makes those passwords visible.”
Fortinet advises businesses to use master passwords as another layer of security to protect the vault.
Hadjizenonos says: “This master password is the key to unlocking your vault; it’s not stored or maintained by the password manager.” The master password should never be reused on any other app or site.
Fortinet adds that free browser-based password managers are typically less secure than other options because they’re often not encrypted, and because users tend to stay logged in to them, they can be compromised if a device is stolen.
Hadjizenonos advises: “Adding MFA for any location where sensitive data is stored is an extra step in the login process, but will greatly increase the security of their account and data.”
MFA will become more relevant in cybersecurity strategies as the hybrid work model takes root.
Hadjizenonos continues: “Rapid network expansion is outpacing the ability of IT teams to maintain their traditional point solution security approach. While networking devices are all about connectivity, security solutions need to perform higher-level functions and provide deep inspection of traffic to protect the organisation.”
Share