Browsers & Password Management

Web browsers are one of the most useful and prevalent software applications on workstations/PCs.

The reason for this is because many organizations, from financial institutions to retail pet stores, have their clients' front end at their website, where they can enter in a username and password, and access the resources that the organization provides them. Often with stored payment information therein.

Web browsers also allow you the capability of saving both your user names, and passwords to those resources that these same organizations provide you. This is set up as a convenience for users, but it's dangerous.

What this creates for malicious users is somewhat of a honeypot... a prize located somewhere on the network, where once they take control of them, give them access to many, many things:

• The login and password to your bank/credit union.
• Your VPN password to your company network.
• Your alumni portal.
• Your grocery store retail login.

And so many others.

I for one am not a proponent of using the web browser to save your username, nor your passwords.

I am a big proponent of locking your workstation when you step away, and here's why for both of these points:

Let's suppose you left your workstation at work for lunch. Your network screen lock rules do not lock your workstations for 20 minutes. It will only take me 30 seconds to sit at your workstation, choose the application of yours that I want access to, and lift both your username and password directly out of the browser. Then I can focus on your bank account and it's contents at my leisure.

Now you're saying well, wait a minute... wouldn't somebody notice a stranger sitting at my workstation doing this? Depending on the office layout that you work in, when everybody else goes to lunch, or what time you actually leave for the day - whether it's at lunch, or in the afternoon evening... why is that important?

There are a host of people that have access to that environment in which you work. If you give them that 20 minutes to sit at your workstation, AND if they decided to take the time to do so, they could traverse through your favorites/bookmarks, visit each one of your saved resources, and lift every username and password that you use.?

Cleaning staff, vendors, employees, working late, visitors that snuck in or staged themselves for closing time impersonating one of the above... In this business of information security, you cannot underestimate anybody.

I'm happy to demonstrate this for you, but I'm not going to outline how it's done online. This kind of information has already proliferated too much.

You may be saying to yourself "well, that would take a lot to do don't you think?". I would agree with you but if you're good at what you do... like many bad actors, how hard do you really think it will be?

Depending on the governance that has purview over your industry, exposure of an individual's private information can earn your organization fines.

Often, that fine is per individual's information that you allow to be exposed.

Translation: sometimes millions of dollars, and in some cases (yes) jail time.

There is a huge responsibility on organizations of all industries to protect this information. Depending on who you are and what your organization's core business is will dictate what you have control or access to. That will amplify the damage done by bad actors. I'm sure that you can envision some of your own worst case scenarios here.?Here's a few examples:

Let's suppose I oversee an electronic medical record system. Or let's suppose I oversee a nuclear reactor's cooling level. You get the drift. If you are careless, you can expose thousands of people's medical records, or cause an evacuation of the entire geographical area in which you live.

We need to protect our credentials.

No more post-its on workstations with user names, passwords, NPI numbers, bank account numbers, EINs - nothing that is individually identifiable information that we need to protect for people.

We need to save our usernames and passwords elsewhere, for if you're like me, you have a list of hundreds of passwords. Without recycling the same password for 20 different things, into something separate... like OneNote in a password page with a password, that is difficult to guess, even constructed of a sentence that only you are familiar with. Yes, it is annoying, and yes, it takes extra time.?But then again, so does recovering from a ransomware attack.

We need to turn on dual authentication using either authentication apps for smartphones, or at least 2FA using text messaging.

This particular element of cybersecurity is within everybody's control and is everybody's responsibility. Bad actors only have to get it right once. We have to get it right each and every time. You cannot leave this all to IT. You have to own this also.

I wish you and your organization the best in your secure use of information assets!