A lot of businesses haven’t got time to spend on implementing good Identity Security practices. And a bigger issue is that they don’t know where to start.
A good example of this is password management. I’ve had sessions with smaller businesses who think they’re doing the right thing. They’re using a “Password Manager” to stop people from using basic passwords or writing them down.
The problem is that not all password managers are built the same. When Chrome or Edge automatically fills a password into a login field, you haven’t had to unlock anything, it just ‘happens’. Magic!
Except it’s not magic. Encryption is happening locally on your laptop, but since you haven’t had to provide a password or ‘encryption seed’, malicious software on your computer may have the same access to view the stored passwords.
Below we showcase a simple exploit that demonstrates how easily an app can export your stored passwords (and cookies).
So what do we do? We recommend using a reputable password manager if you’re going to use one. Something like Bitwarden, that requires you to unlock a vault to access passwords.
Block the use of inbuilt password managers in browsers, or simply train staff not to use them.
Better yet, where you can, remove the need to login to websites with passwords. SAML, OpenID Connect, Passkeys and Verifiable Credentials provide modern ways to remove the password from the login equation.
Assertiv runs introductory Identity Security Workshops for organisations looking to get back in control and close security gaps. You can learn more about this first step here.