2020 broke cybersecurity records, here’s what’s to come in the new year

With chaos and uncertainty reigning, 2020 created near-perfect conditions for cybercriminals. The COVID-19 pandemic transformed the way we live and triggered a mass migration to digital channels as companies virtually replaced in-person interactions for employees and consumers alike. Nearly ten months in, the pandemic rages on, and cybersecurity threats are accelerating. While vaccine distribution is on the horizon, the pandemic’s economic and social fallout will take time to mend. Bad actors see opportunity during turbulent … More

The post 2020 broke cybersecurity records, here’s what’s to come in the new year appeared first on Help Net Security.

Okta extends Okta Devices Platform Service capabilities to developers through Okta Devices SDK

Okta further extended its Okta Devices Platform Service capabilities to developers through the Okta Devices SDK.

Using the Okta Devices SDK, developers can enable passwordless authentication through branded push notifications with biometric capabilities, minimizing friction for end-users and increasing security posture.

Now, developers can leverage the power of Okta Verify to build customized, secure, and seamless login experiences for their customers.

The world has become mobile-first: there will be an estimated 7 billion mobile users by 2021. To keep up, every organization is focused on building bespoke and tailored customer experiences.

With a limited supply of developer resources, businesses are challenged to constantly ship new features while still accounting for security and remaining agile. Development teams need an identity layer that serves as the connective tissue between applications and devices to speed time to market, deliver products that are secure, and drive engagement.

“We live in a multi-device world where we work, shop, and consume content across phones, laptops, and tablets,” said Diya Jolly, Chief Product Officer, Okta. “This dynamic landscape has placed an extra emphasis on today’s modern businesses to be relevant across every device. The Devices SDK takes the customizability and security of the Okta Identity Cloud and puts it in the hands of developers everywhere.”

The Okta Devices SDK: Reimagining user experience and security

Powered by the Okta Devices Platform Service, a unique set of powerful capabilities come together in a single integration with the Okta Devices SDK to deepen and extend device and user identity in customer experiences that adds UX value rather than detracting from it.

Now, developers building mobile applications can send branded push notifications and use biometrics including FaceID to authenticate end-user login versus using solely a password or pin. This offers layers of protection and security while eliminating friction and increasing customer engagement.

The Okta Devices SDK also puts more power in the hands of end-users by registering customer devices within Okta Universal Directory, enabling self-service if a device is lost or stolen.

Using the Devices SDK and API, developers can create the following experiences, all through a single integration:

  • Embed Okta Verify with push and biometrics capabilities into mobile applications.
  • Develop branded, omnichannel multi-factor authentication experiences with custom push messaging and custom action buttons.
  • Deploy additional layers of protection to address high-risk access attempts.
  • Enable end-users to view and manage their Okta registered devices.
  • Simplify device management and increase overall security posture.

“The financial health and safety of our members is at the center of everything we do as one of Canada’s largest credit unions,” said Jakub Mamos, Vice President, IS Risk Management, Servus Credit Union.

“Core to achieving that is binding user identity and device identity to make our digital banking products and services more seamless and deeply secure. Using Okta’s Devices SDK, we will be able to build customized, branded experiences for our members that increase security and eliminate friction whether that be setting up a bank account to procuring a credit card.”

The Okta Devices Platform Service will continue to enrich the power of the Okta Devices SDK in the future through unlimited integrations including completely passwordless authentication experiences to secure transactions on every major operating system.

Okta appoints Alvina Antar as Senior Vice President, Chief Information Officer

Okta announced the appointment of Alvina Antar as Senior Vice President, Chief Information Officer. As an IT leader, Antar brings more than 20 years experience at high-performing IT organizations at both Fortune 50 companies and high-growth startups.

At Okta, Antar will report directly to Hector Aguilar, Okta’s President of Technology, and will be responsible for enabling seamless experiences for Okta customers and employees.

Antar is known as the “Subscription Economy CIO” from her years of experience enabling digital enterprises to thrive with recurring revenue business models.

As Zuora’s first CIO, Antar built the company’s IT department into a leading modern-day Business Technology organization, led through a successful IPO in 2018, and saw the company’s revenue grow from $30 million to $300 million.

Prior to Zuora, Antar spent 17 years at Dell focused on digital transformation, global delivery, and mergers and acquisitions. At Okta, Antar will be focused on enabling business outcomes directly aligned to Okta’s strategic priorities through a deep understanding of end-to-end business processes.

As the internal technology arm for the business, Antar will deliver innovative solutions and showcase ‘Okta on Okta’ and the power of identity as our best reference customer.

“Customer success is core to everything we do at Okta, and is more important than ever as we work to support our customers amidst the current health crisis. Customer success and employee enablement and productivity go hand-in-hand, which is why we’re committed to empowering the Okta team to thrive in a Dynamic Work environment,” said Hector Aguilar, President of Technology, Okta.

“I believe Alvina’s passion, customer-centricity, and proven track record for success with high-performing IT organizations uniquely positions her to succeed in this role, and I’m excited for her to bring her expertise enabling digital enterprises to Okta.”

“From my experience at leading technology organizations, I deeply understand the agility required to scale and the importance of enabling business transformation through disruptive technologies. The rise of cloud and mobile has driven the fundamental need for a universal identity platform as the new security perimeter across users, devices and networks.

“It is a critical time for Okta as organizations around the world rely on Okta Workforce Identity to modernize IT and ensure an optimal employee experience in this new dynamic workplace.

“Equally significant is creating a seamless, secure customer experience using Okta Customer Identity through user registration and authentication across websites and mobile apps. This 360 degree view of a customer provides insights integral in driving business transformation in the digital world,” said Alvina Antar, Senior Vice President, Chief Information Officer, Okta.

“As a long-time customer and partner, I’m thrilled to be joining Okta’s thriving culture and talented team to evolve Okta’s operating model into our next phase of growth.”

Antar joins Okta amidst continued momentum including recent product innovation and announcements. Okta announced a major milestone in cloud reliability and uptime, offering 99.99% uptime to all customers in every region of the world at no additional cost.

Okta also announced it joined together with CrowdStrike, Netskope, and Proofpoint, in a coordinated effort to help organizations implement an integrated, Zero Trust security strategy required to protect today’s dynamic and remote working environments.

Earlier this year at Oktane20 Live, Okta’s annual conference, Okta announced Okta Platform Services, Okta Workflows, and Okta Devices, as well as a $10 million philanthropic commitment from Okta for Good and the launch of the Nonprofit Technology Initiative.

BT Security announces critical security partners for global portfolio

BT Security has announced the key partners that it will work with going forward to provide industry-leading managed security services to customers. The decision follows BT’s largest-ever appraisal of its security suppliers, and a comprehensive review of the security vendor ecosystem as a whole.

BT’s decision to refine its security partner base was driven by the recognition that many of its customers find it difficult to navigate today’s complex security landscape.

The huge range of suppliers and products in the market can be bewildering, and lead to the adoption of multiple overlapping systems. This in turn can render security estates difficult to manage, burdened with unnecessary costs and, ultimately, with lower overall levels of protection.

BT Security is reflecting its customers’ desire to reduce complexity by having a leaner set of partners and clearly laying out its view of the best providers for specific security requirements.

The confirmed partners were agreed following a detailed evaluation of their respective capabilities across all security control and threat management technologies. The final selection provides BT’s view of the security market’s leading providers, who will support a harmonized portfolio of solutions to its customers going forward.

Kevin Brown, Managing Director of BT Security, said: “Our new security partner ecosystem showcases the benefits of BT Security as a Managed Security Services Provider. We’re able to use our deep experience and insight of the security ecosystem to help our customers navigate what can be an incredibly confusing market.

“We’re also ensuring that BT Security customers will benefit from working with the best suppliers from across the security industry.”

McAfee, Palo Alto Networks and Fortinet were selected as BT Security’s ‘Critical Partners’. Each of those companies will provide a range of services and products that will be incorporated into BT Security’s global portfolio, as well as providing holistic support to its commercial and operational activities.

BT Security will also work with these partners to develop a roadmap of security solutions which continue to reflect evolving customer demands and integrate the latest developments in security automation.

Lynn Doherty, Executive Vice President of Global Sales and Marketing at McAfee, said: “We’re proud to partner with BT to fight against cybercrime and accelerate new business environments for our customers as they look for more solution integrations, deeper engagement and faster modernization efforts.

“Together through our strategic service provider partners, like BT, McAfee is able to deliver world class security services that enable organizations to evolve their defenses into areas like Secure Access Service Edge (SASE) and Extended Detection and Response (XDR).”

Alex Zinin, VP, Global Service Provider Business at Palo Alto Networks, said: “We’ve been working closely with BT Security for several years to bring innovative cybersecurity solutions to our joint customers.

“We are honored to be selected as one of their critical partners to continue this close collaboration, in recognition of the breadth of our security capabilities across multiple market segments. This comes at a time when it’s never been more essential for communications and security to be closely aligned to help all organisations with staff working remotely.

“We look forward to working together as we strive to make each day safer and more secure than the one before.”

John Maddison, Executive Vice President of Products and Chief Marketing Officer at Fortinet, said: “Digital Innovation is disrupting all industries, markets, and segments, leading to increased risk as cyber threats take advantage of this disruption.

“To protect against known advanced threats as well as unknown sophisticated attacks, Fortinet enables organizations to apply security anywhere and protect all edges – including WAN, cloud, data center, endpoint, identity, and home – while reducing the number of required products to save costs and remove complexity.

“We’re proud to partner with BT Security to help customers address the most critical security challenges and protect data across the entire digital infrastructure.”

Microsoft, IBM and Cisco were all confirmed as ‘Strategic Partners’ for BT Security. This categorization reflects not only their relationship with BT Security, but also their broader activities and remit across the whole of BT.

BT Security also confirmed a further nine ‘Ecosystem Partners’, who will be incorporated into its global portfolio of solutions for customers due to their complementary technology capabilities. These partners are Skybox, Forescout, Zscaler, Check Point, CrowdStrike, Okta, Qualys, Netscout and F5.

Through deeper strategic relationships, BT Security and its partners will work together to provide better customer experience and protection, while those selected partners will also be BT Security’s main collaborators as they look to develop future customer solutions.

BT Security will regularly review the partnerships to monitor the latest vendor developments, while continuing to assess the wider industry for new and emergent security companies and technologies.

Critical flaw opens Palo Alto Networks firewalls and VPN appliances to attack, patch ASAP!

Palo Alto Networks has patched a critical and easily exploitable vulnerability (CVE-2020-2021) affecting PAN-OS, the custom operating system running on its next generation firewalls and enterprise VPN appliances, and is urging users to update to a fixed version as soon as possible.

The US Cyber Command has echoed the call for immediate action, saying that nation-state-backed attackers are likely to try to exploit it soon.

About the vulnerability (CVE-2020-2021)

CVE-2020-2021 is an authentication bypass vulnerability that could allow unauthenticated, remote attackers to gain access to and control of the vulnerable devices, change their settings, change access control policies, turn them off, etc.

Affected PAN-OS versions include versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). Version 7.1 is not affected.

Also, the vulnerability is exploitable only if:

  • The device is configured to use SAML authentication with single sign-on (SSO) for access management, and
  • The “Validate Identity Provider Certificate” option is disabled (unchecked) in the SAML Identity Provider Server Profile

CVE-2020-2021

“Resources that can be protected by SAML-based single sign-on (SSO) authentication are GlobalProtect Gateway, GlobalProtect Portal, GlobalProtect Clientless VPN, Authentication and Captive Portal, PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces, and Prisma Access,” Palo Alto Networks shared.

While the aforementioned configuration settings are not part of default configurations, it seems that finding vulnerable devices should not be much of a problem for attackers.

“It appears that notable organizations providing SSO, two-factor authentication, and identity services recommend this [vulnerable] configuration or may only work using this configuration,” noted Tenable researcher Satnam Narang.

“These providers include Okta, SecureAuth, SafeNet Trusted Access, Duo, Trusona via Azure AD, Azure AD and Centrify.

Even the PAN-OS 9.1 user guide instructs admins to disable the “Validate Identity Provider Certificate” option that when setting up Duo integration:

Palo Alto Networks says that there is currently no indication of the vulnerability being under active attack.

But given that SSL VPN flaws in various enterprise solutions have been heavily exploited in the last year or so – both by cybercriminals and nation-state attackers – it is expected that this one will be as soon as a working exploit is developed.

What to do?

As mentioned before, implementing the security updates is the best solution.

Enterprise admins are advised to upgrade to PAN-OS versions 9.1.3, 9.0.9 or 8.1.15 if possible. Palo Alto Networks has provided instructions for doing that in a way that doesn’t break the authentication capability for users.

If updating is not possible, the risk can be temporarily mitigated by using a different authentication method and disabling SAML authentication.

Admins can check for indicators of compromise in a variety of logs (authentication logs, User-ID logs, GlobalProtect Logs, etc.)

YouAttest’s cloud-based tool automates reporting and auditing services for Okta’s Identity Cloud

YouAttest, an innovator in the Identity Governance & Administration (IGA) market, announced the general availability of YouAttest’s Identity Compliance Solution (ICS), the first cloud-based tool which automates reporting and auditing services for Okta‘s Identity Cloud.

YouAttest has joined the Okta Integration Network (OIN) and its ICS products have completed certification with the Okta SSO and security methodology. This solution automates and accelerates verification of security roles and permissions, used by organizations for a wide range of regulatory and compliance requirements such as Sarbanes-Oxley, HITRUST, HIPAA, GDPR, PCI.

YouAttest’s Identity Compliance Solution is now generally available and is being used by public Fortune 500 teams to automate and optimize their identity audit, verification and management requirements.

The YouAttest Identity Compliance Solution delivers cloud-based identity access verification reporting solutions that eliminates manual processes used today for identity governance.

YouAttest’s ICS automates validation of user roles and permissions to reduce the cycle time for identity audits from weeks to hours and substantially improves the accuracy of identity access certification campaigns over manual processes.

IT managers are now able to easily manage access audit demands for new, current, and departing employees and contractors. YouAttest provides easy-to-read dashboards and streamlines the entire identity governance process.

Concurrent with the general availability of the YouAttest Identity Compliance Solution, the company announced Garret Grajek has joined the company as CEO and President.

Grajek, a proven industry innovator and entrepreneur who holds 13 security-focused patents, has taken companies such as SecureAuth from start-up to market leadership. His proven experience in the IG&A market will enable YouAttest to drive customer acquisition and strategically expand the product portfolio.

“I am thrilled to join YouAttest at this pivotal time in the growth of the company. Helping support our customer base, securing a new round of funding, and working our partnership with OKTA is a great way to start,” said Grajek, President and CEO. “My primary focus is on our new partnership with Okta, expanding our product offering, and capturing new customers.”

Mr. Grajek led the $700K seed funding round for YouAttest that will help expand the development capabilities of the company and expand the partnership with Okta.

Cybersecurity is a board level issue: 3 CISOs tell why

As a venture capital investor who was previously a Chief Information Security Officer, I have noticed an interesting phenomenon: although cybersecurity makes the news often and is top of mind for consumers and business customers, it doesn’t always get the attention it deserves by the board of directors.

cybersecurity board level

Misconceptions and knowledge gaps increase this distance between security and oversight. How can boards dive deeper into the world of security and overcome the entry barriers to collaboration? Seeking advice, I reached out to prominent security leaders: Joel Fulton, the former CISO of Splunk; Jeff Trudeau, the CSO of Credit Karma; and Yassir Abousselham, the former CSO of Okta and the newly appointed CISO of Splunk. Here are their tips for board members.

Recognize security as both a business risk and an opportunity

First and foremost, it is imperative for the board to appreciate the impact that information security can have on the business. Boards should treat security as a top business risk as well as a top business opportunity. Major security events can have a significant impact on revenue, brand, and even lead to catastrophic results.

Abousselham elaborates: “In an era where organizations are handling large amounts of sensitive information and governments are actively pushing more stringent privacy laws, data breaches have serious ramifications for the organization, its customers, and partners.”

Bridge the technical gaps

Contrary to popular belief, security leaders believe that domain expertise is not a prerequisite to making smart security decisions. Instead of focusing on every technical bit and byte, Trudeau suggests the conversation should concentrate on understanding the risks and ensuring they are properly addressed.

Yet, even on a macro level, security concepts might be difficult to fully understand, so a short and dedicated security training for the board can come in handy. It’s also key to remember that it’s not only the board members who may feel like fish out of water. The CISO, too, can get intimidated and might over-rely on the comfort and familiarity of technical details.

To mitigate the differences, Abousselham offers to foster a synergic discussion by framing risks and mitigations in business terms. Fulton proposes focusing on the Venn overlap of the security program’s weaknesses and the board’s strengths (like governance and strategy). This enables the board to interact with security as they do with other domains, empowering the CISO with wise counsel, and letting both view clearly the current situation and the paths to success.

Ask the right questions

The board should operate on the notion that absolute security does not exist. The best way to assess your security program is often by focusing on and drilling down into the economic trade-offs.

Fulton’s suggested economic questions include: Are you applying your scarce resources, people, and time to the correct problems? Next, drill deep to understand the security leader’s rationale and thinking: How do you know you’re right? What evidence would indicate you’re wrong? and How can we find that evidence?

The board’s questions should also serve as a vehicle for both the CISO and Directors to think more strategically about security. As the technological environment has evolved tremendously in recent years, it is important to step outside the traditional realm of compliance and assess the potential catastrophic consequences of security deficiencies. For example, Trudeau proposes including questions like: Could what happened at this other company happen to us? What would be the damages from such threat materializing in our company?

Evaluate the effectiveness of the security program

The group offers structured approaches to synthetizing information and reaching conclusions about the security program. Abousselham recommends a top-down method: “Confirm that the CISO has a good grasp of security and compliance risks. Then validate that the CISO’s vision and strategies support the direction of the company and desired risk posture. Further, get comfortable with the CISO’s ability to execute, including the adequacy of the organizational structure, technical capabilities, funding, and ability to hire and retain talent. Lastly, because incidents are bound to happen, evaluate the ability to detect and respond to security compromises”.

Fulton advocates that the board seek to help the CISO with possible blind spots, looking to validate the security strategy and initiatives with questions like: Where are you intentionally reducing focus? Why is that decision the best decision in this company, environment, and vertical? In your areas of highest investment, what does “secure enough” look like?

Certainly, no evaluation will be complete without metrics that measure the progress and maturity of the security program. Fulton suggest boards inquire on how the program is measured and how the CISO knows the measures are valid and reliable. Abousselham offers focusing on objective risk measures with metrics to show progress against a baseline such as NIST CSF; and adopting no more than ten key metrics that summarize the state of the security program and its business influence.

When measuring the security program’s effectiveness, it is crucial to consider that it is tied to the CISO’s ability to influence the organization. The security leader’s ability to execute is very much dependent on the reporting structure.

According to Trudeau, reporting to the wrong executive could pose challenges for the security program and hinder its effectiveness. In addition, it is important to validate the CISO’s cross-functional operation. Most security practices and controls are implemented, operated, and maintained by employees without “security” in their title. Consequently, a CISO must be respected and influential outside her own organization.

Communicate in the right format and cadence

A good rule of thumb is for boards to meet the CISO at least once a year. Abousselham explains that some companies adopt a cadence of two updates per year, to the board and the audit committee. Boards might also ask the CISO for more frequent or ad hoc updates if the perceived risk is higher than the acceptable threshold.

Additionally, informal and off-schedule meetings improve relationships and information sharing simply by the reduction in formality. Fulton believes these keep strategy aligned and could be invaluable during actual or tabletop incident walk-throughs. However, boards should be careful to not overdo it as too frequent meetings can be inefficient, Trudeau warns.

With security becoming increasingly important, some organizations have created security committees to ensure independent oversight of security risk. The security leaders don’t believe it’s necessary in most cases, since it might be distracting. If a company is forming a security committee, Abousselham explains that committee members should be independent and with proper domain expertise to formulate and report an accurate opinion of the security risk posture to the board.

Conclusion

Fostering collaboration between the board and the CISO benefits both groups and the company as a whole. However, it’s not always easy and growing pains are to be expected. While everyone may share the same objective of seeing the company succeed, they often differ in their agendas and approaches.

The good news is that asking the right questions, conquering communication gaps, measuring progress and treating security as a business risk will set the board up for success in improving the company’s security standing.

Okta hires Craig Weissman as Chief Architect

Okta, the leading independent provider of identity for the enterprise, announced the hiring of Craig Weissman as Chief Architect, effective immediately.

Weissman brings a proven track record of more than 20 years leading enterprise software development and cloud architecture, having played a pivotal role as Chief Technology Officer at Salesforce before co-founding cloud hospitality provider, Duetto.

Weissman will join Okta’s engineering team, working alongside fellow Chief Architects Jon Todd and Karl McGuiness to further grow the most robust identity platform for enterprises.

“The importance of an independent and neutral identity continues to grow rapidly for organizations adopting technology and building digital experiences for their customers,” said Todd McKinnon, Chief Executive Officer and co-founder, Okta.

“Craig’s combination of technical expertise and industry experience is really one of a kind, and we’re thrilled to add a true pioneer in cloud architecture and development to the team. Craig is joining a strong group that will continue to evolve our platform today and spur innovation well into the future.”

“What strikes me most about Okta is the broad potential to transform the relationship between users and technology through our identity platform,” said Weissman.

“Okta has become an identity leader, with thousands of organizations and millions of users relying on its technology every day. But the opportunity in front of us is even larger as identity has become more and more inherent in the way we interact with technology, both in our personal and professional lives. I’m excited to contribute to a platform that will deliver on every identity use case.”

Craig Weissman joins Okta from Duetto, the SaaS company he co-founded and advises to bring data-driven cloud technology to the hospitality industry. Prior to Duetto, Weissman worked at Salesforce for nine years, the last three as Chief Technology Officer, where he was instrumental in building the leading enterprise cloud platform.

Weissman has more than 25 years of experience as a software architect and executive, with a long term focus on SaaS and cloud architectures.

A Breach, or Just a Forced Password Reset?

Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites. Many Sharefile users interpreted this as a breach at Citrix and/or Sharefile, but the company maintains that’s not the case. Here’s a closer look at what happened, and some ideas about how to avoid a repeat of this scenario going forward.

The notice sent to ShareFile users looked like this:

Dozens of readers forwarded the above message to KrebsOnSecurity, saying they didn’t understand the reasoning for the mass password reset and that they suspected a breach at ShareFile.

I reached out to ShareFile and asked them point blank whether this reset effort was in response to any sort of intrusion at Citrix or ShareFile; they said no. I asked if this notice had been sent to everyone, and inquired whether ShareFile offers any form(s) of multi-factor authentication options that customers could use to supplement the security of passwords.

A Citrix spokesperson referred me to this page, which says ShareFile users have a number of options when it comes to locking down their accounts with multi-factor authentication, including a one-time code sent via SMS/text message, as well as one-time passwords generated by support authenticator mobile apps from Google and Microsoft (app-based multi-factor is the more secure option, as discussed here).

More importantly, the Citrix spokesperson said the company did not enforce a password reset on accounts that were using its most robust form of multi-factor authentication (single sign-on solutions, or SSOs). To wit:

“This is not in response to a breach of Citrix products or services,” wrote spokesperson Jamie Buranich. “Citrix forced password resets with the knowledge that attacks of this nature historically come in waves. Attacker’s additional efforts adapt to the results, often tuning the volume and approach of their methods. Our objective was to minimize the risk to our customers. We did not enforce a password reset on accounts that are using more stringent authentication controls. Citrix also directly integrates with common SSO solutions, which significantly reduces risk.”

The company did not respond to questions about why it decided to adopt regular password resets as a policy when doing so flies in the face of password and authentication best practices recommended by the National Institute of Standards and Technology (NIST), which warns:

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

NIST explains its rationale for steering organizations away from regular forced password resets thusly:

“Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations.”

“But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.”

In short, NIST says it makes sense to force an across-the-board password reset following a breach — either of a specific user’s account or the entire password database. But doing so at regular intervals absent such evidence of compromise is likely to result in less complex and secure passwords.

Ideally, ShareFile users who received a password reset notice may be able to avoid the next round of password resets by adopting one of the two-step authentication options mentioned above. And I hope it goes without saying, but please don’t re-use a password you used anywhere else.

However, if you are the type of person who likes to re-use passwords, then you definitely need to be using a password manager, which helps you pick and remember strong passwords/passphrases and essentially lets you use the same strong master password/passphrase across all Web sites.

Incidentally, there are several companies — such as auth0 and Okta — that make it easy to integrate with breached password databases like Troy Hunt’s HaveIBeenPwned.com to help proactively prevent users from picking passwords they have used at other sites (or at least at other sites that have been breached publicly).

Whether online merchants are willing to adopt such preemptive approaches is another matter, said Julie Conroy, research director with the Aite Group, a market analyst firm.

“With the reality that such a vast swath of username/password combinations have been compromised, this creates the potential for a ton of inline friction, something that is an anathema to merchants, and which banks work hard to stay away from as well,” Conroy said.

Update: 4:53 p.m. ET: Citrix just published its own blog post about this here.