Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.
— Clifford Stoll
One of the common areas we see companies and technology groups struggling to manage securely and effectively is... passwords. We know we need them (passwords), we know they need to be "secure", and we know they're a pain in the neck to keep organized. That's exacerbated exponentially when you factor in shared passwords and accounts for teams.
Tip 1: Quit Using Excel to Manage Your Passwords
Back in the day, before secure logins were part of routine internet use, before social media and big e-commerce, businesses had only a handful of online passwords to manage. Naturally, Excel was one of the most obvious and easiest tools to use for tracking passwords, and everybody used it.
As time went on, the internet’s offerings evolved to provide an onslaught of services that all required individual logins to social media, online accounts, secure networks, and free email. Many evolved their password management methods to more sophisticated tracking using a secure password management system. However, many did not.
Here’s an example of one such company that did not evolve their password management process…
A small business – let’s call them “SeasonalAgriBusiness” — needs to use vendor websites for ordering materials and supplies, shipping products, and managing the cash flow process. Since they’re a seasonal business they have a fairly high turnover rate, relative to most businesses, and they rely on interns and people working while going to school. They have up to 5 people who need to access a vendor portal, and the vendor won’t provide separate accounts for every employee because of business reasons.
“But wait…” I hear you say. “What if a seasonal employee kept the credentials to their vendor portal? What if an employee gets let go and wants to stir up trouble? Won’t they have easy access to disrupting their business?” Quite right! So how does our small biz handle this problem?
Well, when we met with them we learned that they keep track of these vendor portals using a common method… in an Excel spreadsheet kept on a shared network drive. “But don’t worry” they said, “The spreadsheet is password protected.”
(If you winced upon reading that, or if this sounds like your business … you're at the right blog post.)
Here are some of the risks and concerns of keeping track of passwords using a spreadsheet, or a Word document, or a text file.
For a small or mid-sized business (SMB), these are common problems. And for SMBs, the impact of someone doing something nefarious with a supplier or financial account can have tremendous consequences; from financial losses by fraud or unauthorized wire transfers, to credit and reputation troubles from vendors in response to missed shipments or improperly made orders. A small business could lose everything if the worst-case scenario occurred.
Tip 2: Know All of Your Org’s Accounts
Your teams are likely opening up new accounts as often as the business requires – from social media to suppliers to banking services. One department may adhere to the security policies you’ve created, while others may not understand the implications of doing things the harder (more secure) way in favor of using the methods they always have. In these situations, it’s critical to get your arms around all of the accounts your company is using, and then drill into whether the accounts have unique logins (one for each staff member), or if the team is sharing a login and password.
By following these three steps, you’ll start to get a full picture of how your org is managing passwords – and the potential downstream consequences.
Start by asking each department for a full list of accounts that they manage within your company.Now that you have identified and scoped the problem, we can move onto solutions.
Tip 3: Know Your Password Security Options
It’s important for InfoSec professionals to address the challenges that go along with managing passwords for a team or organization, as well as some of the risks.
If you know you’ve got a problem, you’re more likely to want to fix it and close that risk. There are three primary options for consideration.
Option 1) Do Nothing
Doing Nothing is always an option. You may decide you like having your passwords stored in cleartext on your network, you may decide you’re OK not knowing who has access to them or who made changes when; and you might accept the risk that someone can download your password list and take it home without leaving a trace. Thought we don’t recommend it, it’s always a consideration.
Option 2) Use a Lightweight and Free Password Manager
There are some great free or open source (FOSS) password management solutions, including KeePass and Bruce Schneier’s “Password Safe”. If you have budget constraints or don’t have the technical resources to install a large client/server application and database, then one of these solutions is a great middle ground. Since KeePass is a common choice, we’ll focus on it for our purposes today, but the alternatives function similarly. Here’s how they work:
Instead of keeping an Excel spreadsheet or a Word document with a list of passwords, you use KeePass to create a new database file. This small file, usually around a few hundred kilobytes/KB, is encrypted using a passphrase or a keyfile (a specific file on your computer or a USB drive to open the file, like a key to a padlock), and within the encrypted database are entries for your accounts, and the passwords.
One of the great features about KeePass is that you can copy the account password into memory (like ctrl+c) and paste it wherever you’re entering the password (ctrl+v). This is very helpful for using complex passwords, because nobody likes typing “Nz_EH1wk;AxV5Yw” by hand. And, after 12 seconds it will overwrite what’s in your Copy/Paste buffer, so your super-secret-complex-password isn’t going to be accidentally pasted into an email right before you hit send.
KeePass has a few other features including:
Option 3) Use an Online Password Manager
Using an online password manager like LastPass, SecretServer Cloud, or 1Password has pros and cons which you should weigh before you commit long-term or move all your credentials to them.
PROS:
These are great features and functionality which can save you and your team a lot of time and headache, and provide you assurance and traceability (named accounts, for instance.) But there are some drawbacks to using an online password manager which you should also take into account before committing to purchase.
CONS:
Option 4) Built-in Browser Password Safes
Most browsers – like Google’s Chrome, Mozilla’s Firefox, and Microsoft’s Internet Explorer – have a built-in function for storing passwords to web sites, email and personal data, and credit cards. These can be good middle-of-the-road solutions for individuals and small teams sharing a private computer. They store passwords in a generally secure manner, but could allow anyone with access to the computer to use the credentials or credit card numbers that are kept.
One other concern that is mostly academic (for now) is that malicious websites or browser plugins could get access to your browser-stored password data. At the rate of browser vulnerabilities being discovered and exploited, and the challenges and delays many people and organizations encounter in keeping their browsers and software patched, it’s a potentially higher-risk choice than a password database or a hosted password management server.
If your employees access internet services from a shared computer, or your individual employees don’t need to share web account passwords, using your browser’s built-in password manager could be a good mid-level choice.
PROS:
CONS:
The key takeaways here include the following:
Don’t keep passwords and credentials in notepad files, memos on a phone, or Word or Excel documents, etc.