From the Desk of Matt Topper, Professional Services Manager, Integris
I’m writing from my home office and you may be reading it from your living room. With the adjustments of working remotely, organizations need to share information about credentials for company websites or services that used to be as simple as asking the person sitting next to you. Someone new may need to access the company Amazon account or a vendor website and ask for the credential to be sent over. With a proper password manager, these passwords are one click away.
The most common response to password requests is normally to email this information, or to use a messaging platform like Teams to send it. While email within a company is more secure than email outside of it, that plain-text email might be transmitted to an anti-spam provider or email backup company. Worse, if your email account is ever compromised, the intruder now has access to the password that you sent.
A better option than email is a voice call, specifically mobile to mobile. Be careful with VoIP as most providers record all phone calls now. In some cases, there are regulatory obligations surrounding sensitive data over recorded phone calls. Credit card numbers fall into this category, for example.
Personal Password Management
Password managers make it simpler to remember the myriad passwords required today. Using a single password – the “master password” – to encrypt the other entries, tools like KeePass keep track of unique sets of credentials for every website. That’s a huge part of security best-practices because it means that if your information for one site is compromised, the other sites with unique credentials remain safe.
While the strong encryption ensures the confidentiality of your data, KeePass and other standalone programs like it suffer from difficulties with concurrency. It’s hard to use these programs from an ever-increasing number of devices because the program doesn’t handle file sharing itself. Instead, you’ll need to handle the synchronization of the database file between all your devices yourself. You’re also responsible for backing up the data.
Personal password managers also don’t offer a way to share passwords with coworkers or to revoke access to passwords upon employee exits.
Passwords in the Cloud?
To solve the multi-computer and sharing issue, the best option is an online password management service like 1Password. After logging in, the service enables creating and storing unique passwords for every account. With the business edition of these services you can even share credentials with the rest of the team: I’ll give you a call with the login turns into Facebook? That’s in the company 1Password vault.
Storing information as sensitive as passwords on a website raises a lot of questions about security and privacy. Clients frequently ask us What happens if the website is hacked? or How do I know that the employees at 1Passwords aren’t viewing my information? The answer to both questions is that the company literally can’t see it. The master password for your data, which is separate from your sign-in account is the only way to see what you’ve stored this.
1Password takes this so seriously that its If you forgot your master password help article contains only tips about jogging your memory or asking another member of your team account for it. It ends with If you tried all the steps above, or you’re sure you’ll never remember your Master Password, delete your 1Password data and start over.
Online password managers also allow the ability to use multifactor authentication and share that with your coworkers by scanning the QR code with the mobile app or entering the textual code that some websites present – this enables using secure multifactor authentication while still securely granting access by coworkers when needed.
Next Steps in Password Management
If you’d like to talk about the security of your shared applications, how to implement multi-factor authentication, or how to securely manage your company’s passwords or choose a password manager, we’d love to help. Contact us for more information here.