How to Securely Manage Company Passwords
When it comes to passwords, according to a poll conducted by LogMeIn showed that 59% of the 2000 people asked where using the same password for multiple accounts. That, however, poses a huge security risk, and this is why.
In 2013, the internet giant Yahoo was hacked, and digital thieves got away with names, birth dates, phone numbers, and passwords of their 3 Billion users. Although the passwords and information where encrypted, the security was easy to crack.
This security breach it not unique; In 2016, Uber had a security incident, causing exposure of sensitive information. In 2017, 147.9 million consumers were affected by the Equifax Breach. And in 2017, 412 million user accounts were stolen from Friendfinder’s sites. And the list goes on.
By using the same password on multiple accounts and services, that password is effectively exposed for all those services once one of the services is being hacked.
In addition, passwords and logins are often shared by email. It doesn’t take more that one computer virus or hack attack on one of the receiver’s devices, and that password has been compromised.
How do I create and manage my passwords safely?
According to a 2018 study conducted by Verizon, an astonishing 81% of all company data breaches are password related.
Using strong passwords, storing them securely, and exchanging them safely is vital in order to protect against hacking and data theft.
The probably best way to manage your password is by using a password manager. There are multiple password managers out there to choose from, and you can find a list of the most common password managers at Tom’s Guide (https://www.tomsguide.com/us/best-password-managers,review-3785.html)
Here at Itefy, we’re using 1Password, but the basic principles of all the password managers are the same:
Create and keep all the passwords and logins in one, encrypted «vault», protected with one master password (a password you should not be used on other services), and a few other security measures as well.
In addition, you get a printable «emergency kit» PDF (at least in 1Password) with account details in writing, along with a QR code that you just need to scan in order to install and configure on other devices.
It is advisable to print this PDF on paper, write down your master password on it, put in in av envelope, and lock it in a fireproof safe. If your devices somehow became damaged or lost, and you were unable to retrieve the password manager account information otherwise, at least you got it there.
Where are my passwords actually stored, and are they safe there?
The passwords (and other information) you store in a password manager, are stored in «the cloud», or basically on a cluster of servers around the world. But what if the password manager provider gets hacked?
The good news is that, even if they store your passwords and logins, that information is heavily encrypted and cannot be decrypted without the key - which is your master password.
On the other hand, this also means that if you somehow lose or forget your master password, there is no way to get your stored passwords and login information back. That is also important to keep in mind, as losing passwords can be devastating or at least inhibitory to your business. That’s why printing an emergency kit, writing down the master password, and putting it in a fireproof safe is vital.
There are, however, other ways that your master password can be stolen. As stated in this article from Tom’s Guide, you can be tricked into using an app or extension that is pretending to be your password manager, but that, in reality, is fake. Once you enter your master password there, your password vault is vulnerable for others to access.
That being said, all the serious password manager providers work hard to ensure this will not happen. And if you take measures like not installing insecure or unknown apps to your devices, getting to know how the password manager works, be aware of what sites you give away passwords on, etc., you should be pretty safe.
How can I sync passwords on multiple devices?
As mentioned, password managers can share the same vault on multiple devices; multiple laptops, desktop PCs, smartphones, and tablets. After downloading the app (always download from official sources), use the emergency kit, and use the device's webcam to scan the QR code on it the first time.
Every time you’re going to use the app, you will have to enter the master password. The exception is when you have just used it; it will time out after a while being inactive, requiring that you enter the master password again.
When you’re making changes to the vault, like entering new login information, the information is encrypted and sent to the provider’s vault. When you open the password manager on another device, it will access this information directly from the provider’s cloud.
The passwords and login information is decrypted on-the-fly on your device, and when doing changes it is being encrypted before being sent to the cloud for storage.
What happens if my email or other login services gets hacked?
With a password manager, you’re encouraged to use different passwords for each login service you’re using. It may sound like a hassle, but the password managers really make it easy for you. When signing up for a new service, you can use the password manager to automatically create a new, strong password for you. And when signing up or signing in for the first time, you will be asked to store the login in the manager.
The big advantage with having different passwords for each login is that if one service gets hacked, you’ll only have to change the password on that service, and not for all the other services you would otherwise use that password in (and you would probably not know all the places you have been using that password either).
Many password managers actually have a built-in notification service, alerting you if one of your passwords has been leaked.
What if the password manager provider disappears, or gets unavailable?
You can (and should) actually back up your vault on an external drive or USB flash drive to make sure you’ll always have access to your passwords and login data, even if the password manager provider goes bankrupt. The data will still be encrypted so you’ll have to unlock it with the master password. But at least you have full control of the data.
Can I use password managers for more than passwords?
Yes, with password managers it’s up to you what kind of information you need to store. In addition to website logins, you can store credit card information, PIN codes, SSL certificate private keys, server logins, etc. You can even store documents and photos of driver's licenses, passports, and other ID cards, receipts, ownership certificates, or other important documents.
How can I safely share passwords within my company?
Provided you are all using the same password manager, most of them have the ability to create multiple vaults and share them.
This is something to think about when you’re organizing your passwords and the information you store there; If there are logins you need to share with a group of co-workers, create a separate vault for those. Then, add each person by adding their email addresses. Each person will receive an invite and will have to create their own master password in order to access your vault. In other words, you don’t have to share your own master password.
In most cases, you will be able to set permissions for each person you share the vault with; allow/deny viewing, allow/deny editing, and allow/deny managing.
Be careful with who you allow editing and management access to.
How can I safely share passwords with people outside my company?
The main principle when sharing secrets like passwords is to avoid any others than the rightful and legit receiver itself to actually receive the information. This can be done by sending different pieces of that information through separate channels.
For instance, if you send a link to a password-protected site that contains the secret information on, but send the one-time password to the site as a text message, the chances for someone to pick up both the link and one-time password are slim.
You can use sites like OneTimeSecret to securely send passwords or other secret text-based information. It generates a link that you can share however you want. In addition, you will have to share a passphrase with the receiver in some other way in order for the receiver to unlock the secret.
If you want to rise the security level even higher, you can split the passphrase into multiple parts, and send each of them through different channels.
What is two-factor (2FA) or multi-factor (MFA) authentication, and is it safer?
A two-factor or multi-factor authentication system uses the same principle as described on secret sharing to different channels, but is a bit more organized and goes like this:
- You log in using your permanent credentials (typically an ID like your email address, and a passphrase).
- Then, you’ll have to get a one-time code, typically from another device and from another source (eg. an app on your phone, or a text message) that you have to enter as well.
- In some cases, you will also have to enter information from your login screen into eg. the app before getting new information from the app to enter on the screen.
The main principle here is, again, to exchange authentication information through different channels that are independent of each other.
It makes the login safer because it adds more levels of security; Even if your password has been leaked, you will need disposable one-time-information every time you log in.
FaceID and fingerprint authentication vs. passwords
FaceID and fingerprint authentication are parts of the new, biometric ways of authentication. It works by analyzing and converting physical characteristics into biometric templates comprised of data points based on specific formulas. These data are encrypted and stored in principle the same way passwords are encrypted and stored.
There are several benefits, especially around simplicity and convenience for the user, since you only have to touch a finger scanner or look into a camera in order to be authenticated. The authenticity is also higher because of the much larger amount of data a fingerprint or face scan contains compared to a common password or passphrase.
On the other hand, using biometric authentication poses several concerns; You cannot change your biometric data, and in case it gets leaked you have no way of changing your «biometric password». Biometrics are highly personal, and sharing a «biometric password» is impossible. You can get forced or tricked into authentication - with a passphrase, you would know it if you gave it away.
Conclusion
Secure password and login management are crucial for all businesses, small or large. And if not implemented, it might cause great damage. However, implementing best practice password management is not so hard, expensive, or time-consuming as you might think.
Just start by selecting a password manager you like, install it and add one or two services, and soon you will be wondering why you haven’t done it before.
Sources:
- BitDefender: 59% of people use the same password everywhere, poll finds
- The New York Times: All 3 Billion Yahoo Accounts Were Affected by 2013 Attack
- Uber: 2016 Data Security Incident
- Equifax: Equifax Announces Cybersecurity Incident Involving Consumer Information
- Wall Street Journal: FriendFinder Investigates Report of Breached Accounts
- Verizon: 2019 Data Breach Investigations Report