Use #itsaexpo #itsa365

25 - 27 October 2022 // Nuremberg, Germany

it-sa Newsroom

When passwords get into the wrong hands


© johan63

Without a security strategy, there is a lack of concepts for securing business-critical data. Poor access control can then quickly lead to security issues.

The misuse of passwords continues to be one of the main causes of data theft and computer break-ins. This not only results in material and reputational damage but also the risk of legal consequences. Those in charge of IT security therefore need to develop a company-wide concept to protect sensitive information. This should be based on an access and authorisation concept including the protection of access data by means of identity and access management (IAM).

Employees as risk factor

Existing access concepts are often out-of-date, for example they are based only on passwords. This might still be suffice provided there is a sensible authorisation concept in place that determines which files and information need particular protection and who may access them at all. For particularly sensitive information, the number of people authorised to access it will be limited accordingly and instructions for secure passwords will be issued. If an employee without special access rights has chosen a password that is too simple or the password gets into the wrong hands, the damage is initially limited by the authorisation concept because there is no access to sensitive information. But accounts with access to sensitive information always need very strict security concepts.

However, without a carefully designed authorisation concept, employees who do not even need access to it may be able to access sensitive data. This constitutes a considerable risk, because many employees lack the necessary security consciousness, have not been adequately trained or are simply not aware of the damage that can be caused with their access rights. This scenario harbours unforeseen risks, which is why security strategies with access control concepts are absolutely imperative. However, the authentication methods used should be a good fit for the information and data to be protected. In many areas, a password alone is not enough, but a stronger authentication process is necessary. One such process is two-factor authentication, where a PIN needs to be communicated as well as the password, for example.

Privileged accounts as an alternative

One option is risk-based authentication solutions, which recognise browser type and are location-dependent. This means that they can also determine that two logins are taking place at the same time from different locations. Security products for risk-based authentication are also often cheaper than two-factor systems, for example. Experts attest to the very high level of security offered by the certificate-based authentication method, for example using smart cards of the kind often used for company ID passes.

Functional accounts, which are usually used for administration purposes and have additional privileges, are a special kind of account. They are often less secure than user accounts, even though they can cause considerably more damage because they have many more rights associated with them. Such accounts also need to be considered in an access rights concept. Numerous vendors offer solutions under the acronyms PIM, PAM or PUM, meaning Privileged Identity, Privileged Access or Privileged User Management. An IAM is particularly important if a company works in the Cloud. Any privileged accounts used in this context need special protection.


You will also find news about all aspects of it-sa and the world of IT security in the it-sa Security Newsletter. 

To register for the newsletter