Last week a story hit the headlines about a hack of TeamViewer and a subsequent loss of service. This rang alarm bells across the user base that there was a potential hack. I firmly believe this latest alleged “hack” was down to less than exemplary security practices, and to me it highlights why good password protection and management is vital for all organisations.
Getting the basics right with passwords is the best starting point. For example, we recommend our MAX Remote Management customers use a strong, unique password of more than 10 characters for their dashboard account. We also advise that they never use the PAK (press any key) function for access to their dashboard, and that on top of this they enable two-factor authentication (2FA).
However, the problem doesn’t start and stop there… password management can quickly become a nightmare on all sides, whether you’re a business, an MSP or an end user. We have passwords for everything from routers and firewalls to business critical systems and essential software.
What you absolutely can’t do is try to make your life easier by using one password for everything. That’s the IT equivalent of leaving the keys to the castle lying on a table in your porch. Imagine you have a router that has the ability to be exploited and that exploit allows access to the user ID credentials from that device. If that router is then compromised, it means that every single device on your network can be taken over. And believe me, one of the first things any hacker worth their spurs will do is explore this possibility.
This is what I believe may well have happened with the purported TeamViewer “hack”. The company’s security team confirmed there were no indicators of a security breach on their side, which leads me to think that the reported security concerns may have resulted from a user’s TeamViewer account and password being the same as that used on another platform. If hackers obtained these credentials from a different compromised site, they would have been able to sign in and connect to their TeamViewer account.
So, let’s take it as a given you need a separate password for each device. But how can you manage this? Most businesses have an absolutely crazy number of passwords, and managing them is a perennial headache. That’s before we’ve even started to witness the full extent of the Internet of Things (IoT) – each IoT device will need it’s own password!
One of the most obvious routes is to create an Excel spreadsheet with all those passwords in. But that in itself can be problematic. You need to think what would happen if that Excel sheet got left at a customer site with all that information on it? Or if it was on a USB stick or laptop that went missing?
Allegedly, one of the bits of data that got taken in the infamous Sony hack of 2014/2015 was an unencrypted Excel sheet entitled password.xls. So, if you are going down this route the very least you should do is make sure you encrypt the file and don’t name it so obviously.
Sadly, there is no magic golden bullet as yet, but there are other solutions on the market. You can and should consider looking at using things like software vaults or a password-protected dashboard with 2FA. Whatever you do, you need to make sure you find a system that works for you and that doesn’t ignore the basics.
Good password management should be essential for all businesses, as it not only affects the security of you and your clients but also the very fundamentals of your operational efficiency.
Ian Thornton-Trump, CSA+, CD, CEH, CNDA is CTO at Octopi Managed Services Inc. Ian is an ITIL certified Information Technology (IT) consultant with more than 20 years of experience in IT security and information technology. He enjoys and maintains a strong commitment to the security community. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013.
You can follow Ian on Twitter® at @phat_hobbit.