ShareFile Responds to Password-Guessing Attacks by Forcing Users to Reset Passwords

Users' credentials remain one of the most desirable assets, so it is not a surprise that password hacks are still common these days. In fact, these attacks are becoming more and more sophisticated. No doubt cybercriminals' methods and techniques are improving, but they would not occur if users cared about their credentials more.

As statistics show, 6% of respondents admitted that all their accounts share the same password, whereas 45% of Internet users claimed that only some of their online accounts can be unlocked with the same password. Additionally, users tend to set weak passwords so that it would be easier to remember them when needed. These passwords are a holy grail for cybercriminals. As the Verizon 2016 Data Breach Investigation Report revealed, 63% of all successful data breaches involved leveraging passwords that were weak (e.g., qwerty), default (e.g., password), or stolen. There is probably no need to say that it usually takes minutes to hack weak and reused passwords. What's worse, all other accounts sharing the same password can be hacked in no time as well. Luckily, there is one simple security measure you can take today to protect your identity tomorrow – perform a password reset.

Service providers take action to prevent cyber attacks targeted at users

Service providers understand the importance of secure passwords and know well that they simply cannot ensure users' safety if they continue to use weak passwords or reuse them across multiple accounts. Citrix Systems, the company behind a popular ShareFile content collaboration service, is one of the first service providers that took matters into their own hands. Following the increase in "Internet-account credential (usernames and passwords) theft," it sent out a message to almost all ShareFile users with a request to reset a password to secure it. Some ShareFile users consider this message a clear proof showing that Citrix and/or ShareFile experienced a data breach, but the company ensures that this is not why it asked users to reset a password. Its main goal is to mitigate brute-force (password-guessing) attacks that are primarily targeted at people who use weak passwords and, on top of that, tend to reuse them across multiple online accounts. Citrix Systems confirmed that from now on they will ask users to reset passwords on a regular basis.

Resetting a password periodically might seem to be a great hassle, but if you choose a new password carefully, i.e. do not set a weak password again, you will considerably improve your virtual security. If you are still eager to avoid a password reset procedure, there is a solution for you. You should enable one of the multi-factor authentication forms ShareFile offers to supplement the security of your password. For example, if you turn on two-step verification (aka two-factor authentication) on ShareFile, you will be asked to enter a verification code as a second layer of security. The code will be sent to your phone via SMS or voice call. Alternatively, you could generate a one-time password using Google or Microsoft authenticators. By setting up a second factor, you will considerably improve your ShareFile account's security. What is more, you will not be asked to reset a password to secure it periodically. Generally speaking, users using the most robust form of multi-factor authentication will not be enforced a password reset, the company promises.

Is it a good idea to reset passwords periodically

While the security measure Citrix Systems has decided to take seems to be a simple yet effective solution, some specialists claim that this may result in more serious problems since requiring a periodic password reset is not what authentication best practices issued by National Institute of Standards and Technology (NIST) recommend. It is stated there that verifiers should require a password reset only "if there is evidence of compromise of the authenticator." In other words, these best practices do not support a periodic password change.

NIST is strictly against forced password resets because it has been observed that users tend to set weak passwords they could memorize easier when they know that they will have to change a password in the near future. When the time to change a password comes, they often apply only minor changes to their old passwords, for example, add a number (i.e., password becomes password12). Unfortunately, if an older password has been compromised, it may be a piece of cake for cybercriminals to get a new one and then hack an account. Hackers know all common password changing techniques as well, we can assure you that, so if you are ever asked to reset a password to secure it, make sure your new password is complex and thus perfectly secure. It cannot be used to secure other online accounts you have too!

Generate a new password like a pro

If you have been asked to reset your ShareFile password, there is no way back – you will have to do it. You might be tempted to set a password you could memorize without difficulty, but if that password looks something like password1, you should ditch that thought immediately and opt for a really secure password. It is not a piece of cake to generate a strong password for an online account. Yes, you may try to come up with the best password and login combination yourself, but this will no doubt take time, and you will still not know whether your generated password is secure. Luckily, trustworthy password managers that can help you pick the best password for your account exist. Cyclonis Password Manager is one of the trustworthy password managers that you can install to generate a strong password automatically. You will be able to choose the new password's type, length, and you will even be informed about its complexity. Additionally, this password manager will keep your password in a secure vault away from prying eyes, so you will not forget it no matter how complex it is. There is only one password you will have to remember – the so-called master password that provides access to the password manager.

A password you set for your online account could only ensure your virtual security if it is complex enough, so when you decide that the time to reset a password has come, or you are asked to do so by a service provider, make sure your new password is secure. While there are, technically, no impenetrable passwords, you will considerably reduce the risk of a successful cyber attack by choosing the right password. Do not let hackers steal private information from you!

December 27, 2018

Leave a Reply