Fresh start: Time to reset passwords and rethink your password management strategy
Most
people
have
probably
broken
their
new
year’s
resolutions
by
now,
but
here’s
one
I
plan
to
stick
with:
resetting
my
passwords
and
rethinking
the
strategy
behind
password
management
solutions.
Here’s
why.
Most
people
have
probably
broken
their
new
year’s
resolutions
by
now,
but
here’s
one
I
plan
to
stick
with:
resetting
my
passwords
and
rethinking
the
strategy
behind
password
management
solutions.
Here’s
why.
If
you
work
in
information
security,
you
already
know
how
severe
the
LastPass
breach
of
security,
announced
in
late
December
2022,
was.
By
at
least
one
account
in
Wired,
the
LastPass
hack
was
“actually
a
massive
and
concerning
data
breach
that
exposed
encrypted
password
vaults—the
crown
jewels
of
any
password
manager—along
with
other
user
data.”
The
big
problem
for
users
is
that,
as
Wired
points
out,
changing
the
LastPass
master
password
that
protects
the
vault
data
won’t
be
able
to
protect
the
data
that
has
already
been
stolen.
And
that’s
a
big
issue.
Over
the
past
decade,
we
relied
on
LastPass
(or
alternatives
like
1Password,
or
Apple’s
iCloud
Keychain)
to
keep
our
critical
passwords
accessible
–
and
more
importantly
–
safe.
We
were
relieved
that
we
could
have
the
convenience
of
an
automated
solution
that
could
also
keep
our
passwords
protected
in
an
encrypted
format.
We
assumed
the
security
measures
were
foolproof.
But
with
this
latest
LastPass
breach,
it’s
time
to
rethink
the
password
strategy.
Password
resolutions
It’s
a
new
year,
so
why
not
make
a
fresh
start
with
your
password
security?
Update
and
refresh
your
passwords,
regardless
of
whether
you
think
you’ve
been
compromised
or
have
a
chance
of
being
compromised.
This
is
critical,
even
if
you
don’t
leverage
a
password
manager,
relying
instead
on
a
sheet
of
paper
or
dozens
of
sticky
notes.
With
this
latest
breach
and
those
earlier
in
2022,
it’s
more
than
likely
that
your
employees
have
at
least
one
or
more
of
their
passwords
sitting
out
there
exposed
in
the
wild.
And
it
doesn’t
matter
whether
you
point
the
finger
at
LastPass
or
something
else.
If
somebody
has
had
a
password
that’s
been
live
for
more
than
a
year,
they’re
probably
putting
themselves
and
the
company
at
risk.
It’s
also
time
to
rethink
your
use
of
password
managers.
Do
you
want
to
place
that
much
trust
with
all
your
passwords
in
the
hands
of
one
vendor?
There
may
have
been
a
time
about
5-7
years
ago
when
it
was
super
convenient
and
safer
to
use
password
managers.
But
the
LastPass
breach
proved
that
even
the
most
convenient
and
secure
‘foolproof
systems’
have
flaws
and
can
be
hacked
as
well.
Managing
employee
access
Taking
it
a
step
further,
make
it
a
point
to
do
continuous
employee
training
to
help
your
teams
avoid
being
duped
by
phishing
and
malware
tactics.
User
behavior
in
organizations
has
proven
over
and
over
to
be
a
significant
vulnerability
for
organizations,
often
leading
to
exposed
credentials.
At
least
two
studies
on
data
breaches
during
2022
found
that
employee
errors
or
mistakes
caused
either
88%
or
95%
of
data
breaches.
You
choose
which
number
you
believe.
In
any
case,
that
is
too
high
of
a
percentage
to
ignore,
and
it’s
likely
going
to
grow
unless
organizations
rethink
how
they
provide
and
manage
access
to
their
critical
systems.
More
often
than
not,
too
many
employees
have
access
to
things
that
they
don’t
really
need.
What
about
cloud
security?
Organizations
must
also
better
understand
who
can
access
corporate
assets
in
the
cloud.
In
theory,
cloud
security
should
be
stronger
as
some
of
the
very
best
enterprise
organizations
manage
it.
But
breaches
can
occur,
even
within
those
organizations,
like
one
did
in
May
2022
at
AWS.
In
your
cloud
environment,
access
monitoring
should
also
be
a
priority.
Managing
permissions
and
levels
of
permission
can
get
complicated
with
revolving
contractors
and
provisioning
issues,
and
potentially
hundreds
of
layers
of
functionality,
each
with
its
own
layer
of
permissioning.
Limiting
access
is
important
not
just
for
improved
security,
but
also
for
cost
reduction.
Why
pay
for
access
for
people
who
don’t
need
it
or
shouldn’t
have
it?
Among
my
portfolio
companies
is
an
enterprise
security
company
that’s
helping
to
refine
exactly
how
to
automate
access
management
for
cloud
environments
and
SaaS
applications.
Their
MO
is
all
about
determining
which
employees
or
contractors
have
access
to
which
systems
and
projects;
and
enabling
the
continuous
provisioning
and
management
of
these.
The
solution
can
quickly
prune
employees
who
are
no
longer
employees
or
contractors
who
are
no
longer
on
the
project,
which
improves
security
and
drives
down
costs.
This
is
all
done
while
ensuring
that
users
only
have
the
access
they
need
to
do
their
jobs.
I’m
confident
that
efforts
in
this
direction
will
become
more
commonplace
moving
forward.
Beyond
limiting
access,
reducing
human
error
will
also
lessen
opportunities
for
a
cybersecurity
attack
on
your
organization.
This
requires
continuous
training
around
phishing,
password
cycling,
and
web
surfing
behavior,
among
other
topics.
Taking
these
proactive
precautions
within
your
organization
can
reduce
human
mistakes
leading
to
cybersecurity
data
breaches.
Consolidation
driving
progress
While
it
appeared
that
2022
was
going
to
have
a
pretty
weak
showing
when
it
came
to
growth
rounds
and
exits
for
cybersecurity
firms,
a
late
investment
surge
in
Q4
led
to
a
better-than-expected
investment
scenario,
according
to
Momentum
Cyber
research.
The
year
ahead
could
see
consolidation
among
firms
in
cybersecurity
and
data
management.
As
financial
markets
start
to
recover
and
larger
companies
gain
more
confidence,
they
may
be
more
inclined
to
buy
the
advanced
technology
that
the
startup
world
provides,
likely
at
lower
multiples
than
what
may
have
been
previously
achievable
a
few
months
ago.
And
with
market
consolidation,
CISOs
may
see
some
relief
as
one-off
relationships
get
tucked
into
one
of
the
larger
providers.
This
would
be
good
for
the
startup
world,
and
more
so
for
security
execs
looking
to
drive
down
the
number
of
vendor
relationships
to
manage.
The
year
ahead
looks
promising.
By
taking
a
proactive
stance
to
resetting
passwords,
rethinking
password
management
strategies,
improving
employee
cybersecurity
savvy,
and
limiting
who
has
access
to
what
and
when
–
you
may
just
be
able
to
better
safeguard
against
some
of
the
nefarious
attacks
2023
might
have
in
store
for
us.
About Author
