Is Password Management Software Really That Secure?

At this point there doesn’t seem to be any question that virtually any network, server, or website can be hacked. After all, if hackers can breach corporate entities, health insurance providers, and even the government, what’s to stop them from hacking your business?

In some ways, small and mid-size businesses are lucky – they don’t have the same target on their backs that larger competitors do. Unfortunately, many smaller businesses are also forced to compromise when it comes to security due to a limited budget. Even though you may not face the same threats as better-known entities, you might be at greater risk.

In order to protect yourself, you need to make sure the components of your security system are up to the task. While password management software is certainly handy in this day and age, what with the onus to create unique passwords for every online account, you need to know if it’s safe to use. How secure is it?

Password management software has become a popular option for anyone looking to cut back on the amount of time spent trying to remember usernames and passwords for their many online accounts. With this type of program, all you have to do is log in to one master account, remember just one set of login information, and you can access every online account, despite the fact that they all have unique username and password combinations.

This is handy for business owners and clients alike, but it may not be entirely safe. If someone is able to hack the master password, they could immediately gain access to absolutely every account, putting your identity and the identities of others at risk. It seems like a pretty big risk, but if you rely on such a program to manage your passwords, don’t despair. They’ve taken steps to ensure the safety of their users.

Just look at the hack of popular password management company LastPass a few months ago. Users were terrified to discover that the site had been hacked, compromising email addresses, passwords, password hints, and other information related to the security of user accounts. LastPass, however, seemed unconcerned with the breach.

Although hackers accessed security data, the company claimed that user identities were not actually compromised, per se. This, they claimed, was because they had taken aggressive steps to protect their data, so that even if it was stolen, it could never be accessed. LastPass stated that their encryption was so robust that even if hackers stole their user data, there was no chance they would be able to crack it. The only chance that information could be accessed would be due to the user error of creating too simple a password.

In light of the breach, the company asked users to change their password information. The situation raised an interesting point, though. Are services for password management secure enough that you would trust your personal data (or client information) to them? If LastPass and others are to be believed, their software is more secure than what the average person could come up with alone. Their stance seems to be that breaches are bound to occur – and they’re ready.

Many such companies do not store user information on their own servers, so even if breaches occur, there is little chance data will be stolen. In addition, the level of encryption used to secure sensitive data is so high that even the best hackers will be stymied should they manage to steal anything. All users have to do is create a master password complex enough that hackers won’t figure it out – so don’t use your birth date or the name of your first pet.

In truth, using a password manager is likely much safer than going the other route and trying to remember a laundry list of unique username and password combinations for every online account. For one thing, you can’t store them all in your head. This means you’re likely to write them down, store them in your phone, or otherwise allow for easy access.

With password management software you need only create and memorize one strong password in order to protect all of your online accounts. If it is discovered, you will definitely be in trouble, but if you use it appropriately, the odds of failure are much smaller than the alternative. This means greater protection for your own online accounts, and potentially the accounts of other users, as well.

What Can You Learn From the Latest Starwood Hotels Data Breach?

Data breaches are a dime a dozen these days. You can’t open a paper or check a newsfeed without coming across some kind of scandal involving a hack in which sensitive user data was stolen. In the last year alone, mega corporations, banks, health insurance providers, and government entities have all been breached by hackers, malware, or other online threats. The climate has become one of “if, not when” a hack will occur, and no one is entirely safe.

The most recent data breach to make headlines involved upscale hotel chain Starwood Hotels, a company that includes Sheraton, Westin, W Hotels, and other luxury brands. Starwood isn’t even the only hotel chain to be hacked this year – both the Mandarin Oriental and The Trump Hotel Collection suffered similar breaches.

So how was Starwood Hotels hacked? The chain admitted that malware had infiltrated point of sale (POS) systems, including payment systems in their gift shops, bars, and other retail areas, and that 54 of their hotels had been subject to attack. Luckily, the malware was not found in the guest registration system, so sensitive personal data related to reservations and Preferred Guest Memberships was not compromised, but the breach may still affect some portion of customers who used debit and credit cards at these locations during a certain date range.

Starwood Hotels announced that the malware discovered could have infected some systems as early as November of 2014. During that time, names, credit card numbers, security codes, and expiration dates (the data on a debit or credit card) were exposed, although PINs and contact information were not. In light of the incident, Starwood has taken steps to rectify the situation and make reparations.

When the breach was discovered, Starwood claims the malware was immediately removed and efforts were made to mitigate damage, including contacting authorities and coordinating with credit and debit organizations. Further, identity protection was offered to affected parties, along with credit monitoring services. Of course, Starwood Hotels has also vowed to increase security.

The problem is that many companies are doing exactly the same dance as Starwood Hotels. They’re waiting until a major data breach occurs to beef up their security and monitoring. Starwood is big enough that this black eye won’t cost them too much – their deal to merge with Marriott International Inc. (for a reported $12.2 billion) looks as though it will proceed. But could a smaller company recover from such a breach? Maybe not.

Companies large and small remain under-protected when it comes to digital security, a point that the Starwood Hotels breach (and other recent incidents) aptly demonstrates. Consumers and credit providers are taking steps to protect their interests, most recently through the use of EMV (Europay, MasterCard, and Visa) chips that store and protect user information, as well as create unique transaction codes for every payment.

However, businesses can certainly do more to protect user data, not to mention their own reputations. Starwood may be big enough to weather the storm caused by a data breach, but smaller competitors might not be so lucky. Data breaches can cost companies untold revenue, not only from known costs like security upgrades and reparations, but also from unknown losses related to unsatisfied customers and poor public opinion.

Looking on the bright side, data breaches can force businesses to make necessary changes and upgrades to outdated or subpar security systems. However, companies suffering from such attacks will have to first survive the fallout associated with legally mandated notifications and restitution, not to mention potential lawsuits.

The good news is that businesses can take a lesson from the Starwoods of the world. Starwood Hotels, in particular, could have benefited from some kind of security monitoring. If their admissions are to be believed, their system was infested with malware for approximately a year before they even noticed. Proper monitoring software would likely have caught the breach immediately.

Naturally, there are other steps businesses can take to protect themselves as well, including firewalls, encryptions, strong password policies and programs, and the assistance of a managed services provider, just for example. Hackers can get through a lot, but they’re likely to go for easy targets. Businesses that take preemptive steps on the security front can not only decrease the likelihood of attack, but also reduce the damage done should a data breach occur.