Brown’s Bytes – Please Move on From Static Usernames & Passwords!


29th September 2017

There’s been quite a bit of press recently about some high-profile attacks on Office 365.

As with most attacks, it’s the low hanging fruit that the bad guys go after first. In the case of Office 365, this low hanging fruit is companies allowing login with a static username and password.

In my opinion, there seems a disconnect between traditional security thinking and what is being applied to the Cloud…

Back in the “good old days” the key to security was to build an impenetrable castle and store company data within. A LOT of money was spent on building high walls (firewalls) and moats (DMZs) to ensure the bad guys couldn’t get in.

For genuine users, to get into the Castle there had to be a strong lock on the door. For 20+ years this has been delivered by the use of 2 Factor tokens on the VPN. Everyone who works for a security conscious company will know what an RSA Token (other better & cheaper tokens are available from us!) looks like and know how to use it.

They can create a lousy user experience, but they work exceptionally well from a security perspective.

Fast forward to where we are now…

In effect all the data is leaving the secure castle and being moved to the Cloud. Office 365 is a common example of this. Email is one of the most highly sensitive systems and yet it’s one of the first to take the journey!

And then – for some strange reason (usually user experience) all of the wisdom that applied to the traditional security model is lost! Companies deploy the systems with static Username and Password as the authentication method.

If you went to security asking to remove 2FA from your VPN and replace it with username and password, you’d get laughed out of the room. But for Cloud this isn’t an issue when it’s the same data behind the login.

Odd isn’t it?

With Office 365 you’ve still got a fantastic castle – Microsoft take care of all the design and maintenance of the castle for you. Yet people then install a crappy lock on the front door.

So as a minimum consider putting a better lock on the door!

This is where we can help.

We can go way beyond traditional 2FA with our products and Managed Services to help customers properly protect their data again, whilst not impacting the login experience in the way that traditional tokens did.

Please get in touch to know more.

If you’ve read this and are still using static username & passwords for access then you must do something about it…