|Manager:||So, we need to get you setup on all the applications you will be using in your new job. Here is a list of all your usernames and passwords. This one will log you into your computer, this one is for the encryption software, this is your email access, this one is for your VPN when you are at home and need to access the network, here is your Wi-Fi password, and to access our time management system use these credentials. Go ahead and log into each and they will prompt you to change your password.
|New Employee:||Sounds good, I’ll go through and change my password for each of these.
|10 minutes later
|Manager:||So did you get logged in to all of those systems and get your new passwords entered OK?
|New Employee:||I did, and I jotted them all down right here.
|Manager:||Oh, about that, you can’t keep your passwords written down, and especially not sitting out where folks can find them. While I’m at it, I should probably mention some of the other rules. Your password can’t be the same for any of your applications and cannot be the same as any of your personal accounts. Don’t store your passwords with your computer at work or while you are traveling. And we aren’t supposed to use any personal information, family names, pets, birthdays, etc. in our passwords.
|New Employee:||So you want me to create five “NEW” passwords and remember each of them?
|Manager:||Five? No, that’s just today, I’m guessing you will have around fifteen or so passwords by the end of the week. Don’t get too attached to them, though – you’ll be prompted to change them in two months.
While this is a made up conversation, I’ve had similar conversations with new employees before. It’s frustrating for the new employee. It’s frustrating for me. How can I keep all my accounts and passwords different, safe, and secure? To make matters worse, I am required to change many of them on a regular basis. My latest count of accounts with passwords, both for work and personal use, exceeds 70. I’ve tried and practiced many of the different best practices for passwords, but it always breaks down at some point. Either the sheer quantity or the forced changes at differing intervals end up ruining all my pneumonic devices. Sure, I know the letter substitution method or the pass phrase method. In the past I have had plenty of passwords that looked like: C()rr3c+ (Correct), $+()P.$1GN (Stop.Sign), My.Boss.Is.Mean, My.B()$$.1$.M3an, and so on. Now, which account goes with which iteration of that password? What did I change my password to after My.Boss.Is.Mean last week?
It’s simply not possible to keep all of your credentials straight in your head, but what is the alternative? The promise of single sign-on has definitely not taken off like many had hoped. I can now log into a couple of sites with my Facebook or Google account, but I do not need complicated passwords for most of these sites, anyway. Single sign-on is not going to solve my problem, but another type of software may be the answer: Password Management.
Password Management applications have been available for years. These applications help manage, store, and generate random complicated passwords for all your different applications and websites. In the past, they often have either been very simple and somewhat limited, robust but overly complicated, or overly expensive. With the advent of the smartphone and the app market that followed, several new solutions have been added to the market that offer affordable, robust, and easy-to-use options. Here are three I have personally tried:
I have used Password Safe for years. Safe Systems has also recommended this product to our clients for years with much success. Password Safe works well for business accounts that you only access from work. The problem I have run into with Password Safe is with accounts that I need to access from machines other than my work laptop. Password Safe utilizes a local database. In order to access the information from other devices, you have to copy the database to each machine or have network connectivity to the original machine. Password Safe even offers a phone app, but you still need to copy the password database to your phone. This works great until passwords update or change; after any changes you have to copy and replace the database on all the devices on which you wish to use Password Safe. Overall, I found Password Safe to be great for passwords I only use from one computer, but very problematic for passwords that I use more often from multiple locations and devices.
• Security of database because stored locally only
• Some automation like “autotype”
• Not easy to maintain across multiple devices
• Automation is limited
SafeWallet is similar to several app-based solutions on the market. It provides a phone app, an application for your PC, and automation for logging into different web-based programs. It supposedly “learns” your passwords as you use the computer and log into sites and keeps this information in an encrypted database that is shared between your multiple devices. As is a common claim with these applications, the database is encrypted in transit and can only be decrypted by the end user with the decryption key. In theory, since only the end user knows the decryption key, no one can access the database with passwords, including the company that built the application and facilitates the sync process between devices. While this application received positive reviews from PCWorld (http://www.pcworld.com/product/1253090/safewallet.html), I found it to be very flakey and hard-to-use. The PC interface did not allow me to easily see my website accounts and passwords. The required Chrome extension did not work correctly on my computer. Attempts to reach their support about issues with the application were not successful. Though I wanted to tap into all of SafeWallet’s features, I had difficulties making it work. I also found the interface confusing and awkward.
• Integrated with phone and computer
• Automatic password database synchronization
• Never worked correctly
• Zero support from manufacturer
• Security depends on trusting manufacturer
This application also works on phones and computers. LastPass was my second experience with an integrated Password Management application, and actually worked as promised. It stores user names and passwords for all of my needed applications and websites. The passwords are seamlessly available on both my computer and my phone. The interface is a little confusing and dated, but it works well and can be learned pretty quickly. It does a very good job of automatically logging into websites and keeping up with my user names and passwords even after they are updated or changed. It does struggle with websites that have more than two pieces of log in information. For instance, one site I use requires a user name, password, and part of my account number. LastPass auto enters my password into the password and account number field. In the end this is just a small annoyance and there are ways around this issue. The application does have a $12.00 annual fee for several of the phone application features and is highly rated by PC Magazine (http://www.pcmag.com/article2/0,2817,2407168,00.asp). On the security front, LastPass claims to use syncing technology that encrypts data in transit and can only be decrypted by the end user with the decryption key.
• Synchronizes smoothly between devices and phones
• Types login information into sites automatically
• Works well
• Dedicated web browser required on Android phone for auto login options
• $12.00/year for full features
• Full database is synced between devices, so security is somewhat based on trusting the manufacturer
While using a Password Management system may be the answer for you or your employees, be careful not to jump in blindly. As with any vendor or technology, decision-makers should perform due diligence on any serious candidates before clearing them for use. Additionally, you may want to create a policy based around these applications or set expectations through training on what is allowed or not allowed.
When evaluating these applications, you will want to answer the following questions:
• Where does data live?
o Does the database live locally or in the cloud?
o How does the data get shared between devices if it offers this feature?
o How is the database secured?
• Is database encrypted?
• Does key decryption key ever leave the local device?
• Is the vendor trust worthy?
• Multifactor authentication
• Perform Risk Assessment
Dispelling 5 IT Outsourcing Myths within Financial Institutions
In the end, passwords are still one of the weakest links in security. Several of the breaches in recent years have been traced back to shared passwords between different accounts or weak passwords in general. So password management is a real need and could provide real security and convenience. If your employees adhere to all your password requirements, they are going to have to do something to keep up with that information. Finding and providing them a secure way to manage passwords could be a key security step in improving security and making life easier on your employees at the same time.
*The mention of all applications in this article does not indicate that Safe Systems has reviewed or recommends any of these products. These are simply examples of available options that have been used to test functionality.