Let’s take a brief quiz on password hygiene. Don’t worry, the answers are all yes or no, and I won’t reveal your individual grades.
1. Do you avoid reusing the same password on multiple websites?
2. Have you changed your email password in the past 90 days?
3. Do you use the two-factor authentication for Google, Apple, LinkedIn, Facebook, Twitter, GitHub, and others?
If you answered no to any of these questions, it is time to consider upping your game. I have been spending a lot of time looking at various password-related security products for Network World, and my latest review just came out this week. The review examines password management tools. These are very useful products that enable you once and for all to eliminate the password cheat sheet from your desktop.
What is the password cheat sheet? We all have seen situations where someone places a Post-It note with a written list of passwords. I remember one time passing a brokerage firm where you could see the notes on the monitors from the street: clearly they had lousy hygiene. But many of us have gotten lazy and re-use the same password, or have similar enough passwords, that if one of our online accounts was compromised, the whole ball of wax melts.
There is a better way. The tools that I looked at for Network World include consumer-grade and enterprise-grade products that set up a master password vault where you can safely store all your passwords. Of course, you need to protect this vault with a strong password, but that is the last one that you need to remember. You can automatically fill in your authentication information from both your desktop computer and from mobile browsers from this vault, and also store other information such as credit card numbers and client notes that you want to share with your teammates. Most of the tools that I looked at have a means of synchronizing your vault so that if you enter a login ID and password from your desktop it will be available to your mobile browser or remotely if you login from a Web browser when you are using a shared computer at a remote location. Most also included a complex password generator so you can swap out your pet’s name for something a bit harder for the bad guys to guess.
Another benefit to these tools is to be able to strengthen shared administrative access to corporate servers and services, such as your SQL databases and websites. If you have a strong password for these sites, you can change it frequently without having to distribute emails with the new password or having everyone remember what the daily password will be. This is what Liberman’s Enterprise Random Password Manager does.
A few products also included centralized administration and management features. For example, you can set up a policy to override the default auto logoff protections for PC shutdown, or when in screensaver mode, or when idle, or when the computer is locked.
One of the tools that I tested and really liked is LastPass. It is free for the individual user, and you get the full functionality of the tool this way so IT managers can easily check it out and see how it works. Once you are ready to upgrade to the enterprise version, you can start a free two-week trial, after which it will cost you $24 per user per year. Upon install (and you can run this security check afterwards as well) it tells you which insecure passwords your browsers (or password vault) have already saved, and gives you the option to remove or change them to keep things more secure.
Recommending a tool like LastPass for an IT Manager is crazy. Tools like LastPass, RoboForm, etc aren’t bad but they aren’t designed for IT teams … there are other tools in this space that do so much more that IT folks need (integration with AD & RADIUS for authentication, automatic password testing and changing against accounts – actually connect to a device and change the password – this is critical for IT folks when there is staff turnover, service account management is a massive and difficult problem).
My tool of choice for our IT admin teams is Secret Server from Thycotic – a true multi-user password management tool designed for IT administrator teams.
Another alternative is also Sticky Password manager – http://www.stickypassword.com.