Are your credentials on the dark web?

Posted:
08/04/2020
| By:
Jay Ryerse

Would you give someone your password to log into your bank or investment account? How about your email or other cloud service account? It’s safe to say that no one wants to willingly give out their credentials to a high-impact account such as those, but every day many users, possibly even your customers or members of your team, may be doing something just as risky.

We hear the warning all the time, “Don’t use the same password for multiple accounts.” However, the challenge of an ever-increasing number of applications means balancing an ever-growing number of accounts. Remembering individual passwords can be a pain—if not impossible. A password manager can help. Ultimately, however, the scariest threat of them all is a credential exposure.

What is a credential exposure? This is when a company which has your login information has a breach (public disclosure of personally identifiable information) and the attacker gains access to these account records. If stored improperly by the company being breached those account records can be exposed, giving the attacker access to your login information. Since most applications now use an email address for the username, and many people use the same password across multiple applications, it’s easy to see how this can quickly cause chaos. All of this might leave you wondering what steps you can take to protect yourself.

1. Enable multi-factor authentication

The first thing you can do to protect your credentials is to enable multi-factor authentication (MFA) on any account that supports it. Get used to using that authenticator app. The extra time spent during login will more than make up for the time you will lose recovering from a data exposure which results in a compromised account. There are free and paid options, including Microsoft’s Authenticator app which works well with the Office 365 and Azure infrastructure many of our partners leverage. This is the first of many precautions to take and should be a standard in both your office and through you to your customers.

2. Use a secure password manager

While there is a risk associated with storing all your passwords in one place, the balance of having the manager generate and remember strong passwords is worth that risk for most users. Also, many offer ways to securely share a password with another user, determine who has accessed a password, and ensure that if someone who had accessed a password ever leaves your company you know which passwords need to be updated.

3. Perform a “dark web scan”

There are multiple sources available for “dark web scanning” which is the practice of searching the results of publicly shared data breaches where credentials were exposed. Not only can these sources tell you of the exposures associated with your email account, they will also inform you of the password which was exposed so you know to stop using that one going forward. ConnectWise Fortify, our security product suite, contains a dark web scanning option, among many other great features. This is a service you can provide to your customers (and perform on your own business as well) to find those exposures and warn users before they lead to problems.

4. Ensure your product set is secure

You need to make sure that the software you use with your clients is secure. So how is ConnectWise helping you to be more secure? Our single sign on solution provides for one account that allows you to access our entire suite of products. And we are continuing to expand on the products’ support of our SSO solution, making it easier for users to set up, connect products and manage the account. Additionally, we offer that dark web scanning service as a part of Fortify for Protection , which can help you discover these exposures before they cause you and your team pain.

Finally, it’s important to keep in mind: If your credentials have been exposed publicly, you can never use that password again. Once that password is part of a public list, especially one that is associated with your email address, you can be sure it will be included in a future attack. If you use similar passwords, change those too. The risk is too great to even consider using it again, and any other account which uses the same password should be immediately changed as well. Remember, this is not personal. You may not have caused that exposure, but that credential is now public. There is no shame in something you cannot control, but proper action after the event is the only way to protect yourself moving forward.

Remember these tips for login credentials and protect your house from this type of attack. Provide these tips to your clients to protect them as well. Every precaution you take today is one less risk to manage later.