Every organization relies on credentials in order to unlock the proprietary tools, platforms, and data necessary to perform essential business operations. But despite their importance, credential management errors abound in many enterprises — primarily resulting from human errors.
According to Verizon’s 2021 Data Breach Investigations Report, 85% of breaches were caused by human error with 60% of these breaches targeting user credentials. By taking the right approach to privileged access management (PAM), enterprises can shrink the chances of credential management errors and thereby reduce the risk of cyberattacks.
However, guaranteeing error-free credential management is easier said than done. Between end-user practices like credential sharing, the use of default passwords or poor passwords, and overlooking critical credential management steps, there are many common credential management errors that could compromise your enterprise data security.
In order to ensure the protection of important credentials, organizations must understand the challenges associated with credential management today. This article will explore why so many companies fall victim to these core credential management issues, and how to overcome them for stronger cybersecurity.
Error One: Credential Sharing
Credential sharing — the sharing of one’s business credentials with unauthorized users for task completion — contributes to the unnecessary and dangerous exposure of enterprise data. Every new person that gains access to an important file, system, or insight becomes another vulnerability in your attack surface.
According to Kaspersky, 90% of all cyberattacks are successfully executed using information stolen from employees who unwittingly give their credentials away. This often happens as a result of hackers impersonating staff members and requesting credential sharing. Sharing credentials also breaches the least privilege principle, yielding human errors like forgetting to revoke access after credential sharing.
If credential sharing is known to be so dangerous, why does it keep happening? Unfortunately, sharing credentials is often faster and easier than going through lengthy, manual PAM processes. When stakeholders don’t get the relevant credentials they need to do their work, productivity falters and critical business operations get put on hold. But when credentials are shared to improve productivity, security is sacrificed.
Error Two: Poor Passwords
Poor password and key security cause an estimated 81% of data breaches. The issues resulting from password mismanagement are usually two sides of the same coin: passwords are either too simple or too complex to effectively store and remember.
In many work environments, employees leverage the same or similar credentials for multiple company accounts — whether it be reusing passwords, using the same “base” passwords with slight modifications, or using simple passwords throughout business environments. Using similar and consistent credentials increases the likelihood of cybersecurity compromise since it enables hackers to unlock all credentials by exposing just one — the “master” credential.
On the other end of the spectrum are employees who utilize many complex passwords that are difficult to remember and store. When complicated credentials are not managed properly, it’s easy to forget them entirely. This forces organizations to undergo mountains of forgotten password resets, which greatly drains time and resources. According to Gartner, it costs roughly $14 to $25 USD for every call related to lost and forgotten passwords — and half of total calls to an organization’s help desk are related to password mismanagement.
Error Three: Using Special Characters, Resulting In Weaker Passwords
Companies often require passwords to have special characters, hoping to promote less compromisable passwords. However, this can actually lead to simpler passwords that are more easily uncovered by malicious attackers.
People tend to make their passwords easier to remember when they have to use special characters, even repeating the same password for their many credentials. In order to combat this common practice, many organizations are changing credential management practices.
For instance, Microsoft insists their end-users not demand character composition requirements and avoid mandatory period credential resets. The White House also requires agents to remove password policies that force end-users to use special characters, plus remove any password rotation requirements. We will likely see many other corporations follow suit in the very near future.
Error Four: Using Default Passwords for Critical Components Like Servers
It’s no secret that critical enterprise data needs to be highly secure. Standard PAM tools may work perfectly fine for common communications, but confidentiality requires robust security. Not only is classified information particularly valuable to hackers, but much of this data also needs to meet compliance and other industry-specific regulations.
Many organizations use default passwords for critical components like servers, trusting them because they are randomized (meaning they boast a series of random letters, integers, and sometimes symbols). However, these “randomized” passwords are actually pre-installed onto these systems, making it easy for intelligent hackers to access default passwords and break into these critical systems.
Unfortunately, the randomness of default passwords causes them to seem more complex and foolproof than they actually are. This often gives end-users a false sense of security.
Error Five: Overlooking SSH Keys
Like default passwords, SSH keys give many end-users a false sense of security when it comes to credential management. SSH keys feature lengthy strings of code with a default key length of 1024 bits, which means they are significantly more secure than your average eight-character password. But sadly nothing is 100% resistant to cybersecurity attacks.
The complexity of SSH keys has led many to believe that these credentials don’t require proper, consistent management. But just like any potential vulnerability, SSH keys need to be monitored — arguably even more so than other credentials, since SSH keys often protect valuable information. The sensitive nature of SSH keys also makes mismanaged or misplaced keys a very serious cybersecurity threat.
It is also notoriously difficult to spot compromised SSH keys within an organization. When SSH keys are compromised by malicious attackers due to human error and mismanagement, the hacker appears legitimate because the key itself is legitimate — it’s just the end-user who is malicious. In fact, 80% of SSH keys go undetected by traditional solutions, making it even more difficult to detect malicious SSH key activity.
Error Six: Onboarding and Offboarding Issues
One of the most error-ridden elements of credential management is the onboarding and offboarding of authorized users.
The primary issue associated with onboarding is credential sharing. In large organizations with complicated PAM processes, getting the right credentials to the relevant people can take days or even weeks. This forces employees to share their credentials with colleagues. According to ID Agent, 42% of people share their work login credentials with coworkers for collaborative purposes.
In addition to increasing the enterprise’s vulnerability to cyberattacks, shared credentials during the onboarding and offboarding process may yield inaccurate or inappropriate access rights. This could lead to unintentional human errors, such as a new user being granted editing access to data instead of viewing only, causing them to delete important information with the slip of a finger. It may also result in malicious attacks, such as a fired employee maintaining access to critical data after they have left the organization and selling it to a hacker for a large sum. This is the primary concern associated with employee offboarding.
Forgetting to remove collaborators during the offboarding process can yield many cybersecurity issues, but this critical step is often neglected. Offboarding users usually takes a backseat to onboarding new users, which is already a slow and cumbersome process. Organizations must be diligent in both their onboarding and offboarding practices and should take the time and effort necessary to ensure that privileges are granted and revoked as appropriate.
Error Seven: Not Complying with the Principle of Least Privilege
The principle of least privilege enforces the restriction of access rights to the minimal levels of privilege necessary for each end-user to work productively. The least privilege principle is well-known by many involved in cybersecurity, and yet it is rarely followed.
Enforcing the principle of least privilege helps organizations minimize the negative impact of stolen and misused credentials. Since all credentials can be copied or shared, too many people having access to certain credentials multiplies the likelihood that these credentials will be found, copied, and shared with malicious intent.
Controlling the impact radius matters, if the number of admin-level credentials is limited to a bare minimum, the likelihood of bad actors getting hold of them decreases dramatically. But with all the issues associated with onboarding and offboarding users, many organizations find it difficult to effectively follow this principle.
Companies that don’t follow the least privilege principle often suffer from other complications besides increased cybersecurity threats — this might include a lack of credential management visibility and accountability. When no one is formally responsible for ensuring that the least privilege principle is being upheld, stakeholders don’t know how much or little privileges they need to work productively. As a result, credentials aren’t properly safeguarded and cybersecurity threats expand rapidly.
Error Eight: Poor Password Storage
According to an HYPR study, 35% of people store all their passwords using manual methods: written down in notebooks or on sticky notes, or filed away in Excel spreadsheets. These manual password storage approaches may work for some, but they’re extremely outdated and vulnerable to exploitation.
When employees don’t store their passwords well, they can easily become lost or compromised. Poor password storage also makes it easy for end-users to repeat passwords, or use very similar credentials for multiple business accounts. Manual password storage also makes it more difficult for users to update passwords regularly, remember their changes, and delete irrelevant credentials. All these habits turn credentials into attack vectors that a malicious attacker could easily take advantage of.
Error Nine: Not Rotating Passwords
Rotating passwords regularly plays an important role in preventing cyberattacks. The younger your password is, the less opportunity a cybercriminal has to exploit it before it has been updated. Similarly, the older a credential is, the higher the likelihood of it eventually being compromised.
But without the right solution, password rotation can also be error-prone. When you implement a credential management system that requires password rotation, it requires additional changes to your environment. If your tool uses both password rotation and vaulting (password and key storage) you will need to modify configurations on both the client and server side. These complicated processes can lead to human errors that jeopardize the security of valuable credentials.
There are also major costs associated with changing and rotating passwords. Large organizations could spend $1 million USD annually on password change support according to Forrester, with most expenses related to infrastructure and staffing. Password rotation and password reset tickets are also costly — as we touched on earlier, Gartner found that 50% of all help desk calls are related to forgotten or lost passwords, with each one costing roughly $20 on average.
Despite password rotation being of critical importance to enterprise security, many PAM systems that require organizations to rotate, change, and vault their passwords are difficult to use and may result in end-users neglecting their responsibility to rotate credentials regularly. Enterprises hoping to leave the burden of credential rotation behind them are turning to passwordless solutions to future-proof their cybersecurity.
Reduce Credential Management Error with SSH
These nine common credential management errors are all associated with the handling and maintenance of passwords and other permanent credentials. In fact, poor passwords and key security make up 81% of data breaches — meaning removing passwords alone can dramatically reduce a company’s vulnerability to cybersecurity threats.
With SSH Zero Trust Access Management, you can migrate to a passwordless and keyless environment at your own pace. With non-intrusive deployment, SSH enables you to begin going credential-less while continuing to manage existing passwords and keys in the meantime. This contributes to more secure, organized, and manageable credential management processes.
In our Zero Trust Suite, SSH keys boast unique just-in-time (JIT) tickets that are ephemeral, disappearing immediately after they have been used. This allows you to limit the amount of permanent passwords in your enterprise system, while entirely eliminating the need to store, vault, and rotate credentials. As a result, you can drastically reduce cybersecurity and compliance concerns while improving your credential management operations.
Many household names — including Gartner, Microsoft, Uber, Facebook, and Netflix — are now recognizing passwordless as the future of cybersecurity. It’s time to get on board. With a passwordless approach, you can safeguard your enterprise data using a more secure and less error-prone approach to credential management.
Currently employed by SSH.COM as Product Marketing Manager, Jani is a mixed-marketing artist with a strong background in operator and cybersecurity businesses. His career path of translator->-tech writer -> marketer allows him to draw inspiration from different sources and gives him a unique perspective on all types...