3 Ways To Protect Your User Credentials

When we take on a new client, we’ve noticed that many have been storing user credentials like usernames, passwords, pins, secret questions, and even checking account numbers in an Excel file. This is a bad idea, and we’ll tell you why.

In one case, an employee took this information with him when he left the company. The file was stolen from his private computer, and a criminal from the Philippines used the information to open up accounts in PayPal and other sites. They transferred the company’s money to themselves, and they purchased items under these new accounts.

Excel is the most common platform used to store user credentials.

As I said, we see this all the time.

We perform remote support quite a bit, and you wouldn’t believe how many times we see an Excel or Word file labeled “passwords” or something along those lines stored on users’ desktops.

Why You Shouldn’t Store Credentials In Excel

Storing private account credentials and passwords in any spreadsheet can result in a serious security risk. Excel isn’t intended to be a password manager, and it never will be.

It’s a great program to use for mathematical functions but doesn’t provide strong security. It will leave you open to data loss. It also lacks the protection needed for tracking usage, auditing and demonstrating compliance.

Your private user credentials must be protected with the highest level of security possible.

What Should You Do Instead?

1. Keep Your Credentials Safe With IAM

Verizon’s 2017 Data Breach Investigations Report, reports that 81% of hacking-associated breaches leveraged weak and/or stolen passwords.

Identity Access Management (IAM) prevents this. It uses technology, processes, and people to control, manage and remove user permissions.

IAM also designates processes for users to access business information. It’s key to controlling access to your business resources.

The right IAM will:

  • Control how individuals are identified in a system.
  • Identify how roles are identified in a system and how they are assigned to individuals.
  • Add, remove and update individuals and their roles in a system.
  • Assign levels of access to individuals or groups of individuals.
  • Protect sensitive data within the system and secure the system itself.

Many businesses purchase or subscribe to third-party Identity Access Management solutions. They come in different forms such as an identity as a service (IDaaS) cloud model, a hybrid cloud model, a traditional on-premise model or a microservices model.

IAM microservices are used for a particular aspect like privileged account management, account compliance management or user authorization management.

2. Use An Enterprise Password Manager

An enterprise-based password manager will force your employees to use strong passwords and schedule times for them to be changed.

It also includes a control for admins to determine if passwords need to be changed for any reason. These will work on most any operating system and on mobile devices as well.

Use a solution that:

  • Has top-level security with compliance and audit features.
  • Lets you store, manage and share passwords securely.
  • Provides real-time management and disaster recovery.

There are a number of good business-grade Password Managers available today. More than 13.5 million people and 43,000 businesses use LastPass because it comes with a range of features including:

  • The ability to create long, randomized passwords that protect against hacking.
  • It syncs your passwords with all of your devices, including your smartphone.
  • It provides two-factor authentication (2FA) using your mobile device.
  • There’s storage for unlimited logins.
  • It has automatic form completion.
  • You can use biometrics (finger and thumbprint reading) for quick access.

After you set up a master password, a program like LastPass lets you import all of your current login credentials (passwords and usernames) from browsers like Google Chrome, Microsoft Edge, Firefox, Opera and Safari. This makes managing all of your credential easy while safeguarding them.

3. Use Two-Factor Authentication

There are also a number of good enterprise two-factor authentication applications. Google Authenticator got the best rating overall from PC World.

Because of today’s growing cyber threats, many companies are using advanced 2FA techniques like a Time-based One-Time Password (TOTP).

This is where you receive a software-generated token (soft token) or hardware token to access an account or website. Hardware tokens include things like key fogs or USB sticks that you use for access. Soft tokens are stored in your computer or mobile device and can generate tokens for different services.

And now, biometric scanning of fingerprints, faces and retinas is becoming more popular. But in most instances, the extra authentication is still a numeric, one-time code that’s sent to your phone.

Your IT service company can help you decide which credential-protecting solutions will work best for your business.