Password management can be a serious challenge–and in some cases a major pain point in today’s business environments. As more and more applications move to the cloud/SaaS model, just about every modern business has to handle an ever-increasing number of passwords .
Business owners and executives have started to realize that leaving critical business password management in the hands of individual employees via whatever mechanism they prefer is not a good idea. So whose job should it be?
The sensible answer: IT department or managed IT service provider. In this two-part blog post, we’ll discuss why and how modern IT should get actively involved in password management.
Traditionally, IT people avoided managing user passwords for convenience and fear of liability
If you talk to us IT guys, especially those of us who support multiple clients or larger environments, we’ll tell you that we already manage a lot of passwords of our own, sometimes hundreds or more.
We have tried multiple password management solutions over the years and it is an ongoing battle to fine tune them for internal IT use. Now imagine the fun of being asked to help manage the end users’ passwords, too.
In a perfect world, each individual user would be solely responsible for his/her own passwords and strictly adhere to common security guidelines such as choosing unique, complex passwords for each site/app and never sharing them with others.
In the real world, though, these guidelines are largely being ignored – and we’ll discuss why shortly.
Then there’s always that big concern: liability. Nobody wants them. Certainly not IT people. We do not want to be involved with a potential user error that leads to compromised identities and data loss.
Despite the liability waivers and contracts, it is still more convenient to be free of unwanted associations. This is unfortunately one of those trade-offs we’ll have to accept when taking on new responsibilities for the benefits of our clients.
Too many passwords, yet security guidelines say they all have to be complex and unique
It makes sense that access to sensitive data needs to be password-protected. The problem here is the sheer number of passwords that needs to be managed by even the most average small businesses today can be overwhelming. Factors that contribute to this situation include:
- More applications and services have become web-based. Just about every one of them will require passwords.
- Businesses are using more online apps and services hosted by various entities, thus requiring separate accounts and passwords.
- Account sharing is discouraged/prohibited and many sites require separate accounts for employees in the same organization.
- All of the above also applies to the vendors, partners, associates, financial institutions, government and other entities that businesses interact with.
As application developers take cybersecurity risks more seriously, it has become standard practice to enforce password complexity requirements. Users are also being advised to not reuse the same passwords across different sites so that one compromised password does not lead to a full-blown disaster.
From the perspective of each individual application and website, the password guidelines make total sense: unique and complex passwords reduce security risks associated with brutal-force attacks and individual account breaches. That is until you realize each user has dozens of such sites to deal with!
Remember, these users also have plenty of personal passwords to keep track of outside work, including their personal email, social media and online banking accounts. Obviously we’d want them to keep them all separate and all different, but will they?
Too many unsafe practices – sticky notes and spreadsheets everywhere
Unfortunately, not everybody has photographic memory. 20 different passwords in the format of TdHxA!#Ent@xfcA is definitely not for the faint of heart. So how do everyday employees end up coping with password complexity requirements?
The answer: pragmatically, but with little regard for security. Examples include:
- Using the same simple passwords, possibly with simple predicable variations, such as Spring@2018, Summer@2019… (we’ve seen these so many times). Company names and abbreviations followed by simple numbers are also popular choices.
- Using passwords they believe to be secure, because they may contain uppercase, lowercase, numeric and special characters, such as the examples above, or something like P@ssw0rd1. In reality, these passwords really don’t stand a chance against today’s attacks.
- Writing passwords down on sticky notes and affixing them to monitors, keyboards, etc for everyone with basic physical access to see (this can include guests and janitors).
- Saving passwords in contact apps, note apps, desktop wallpapers and other plain text, easily accessible and unencrypted locations.
- Saving passwords in documents/spreadsheets stored in shared network folders or cloud storage accounts (Dropbox, etc) with little access control. The documents may be password protected but chances are everyone in the office knows the password, not to mention they can be easily copied or transmitted off the company network.
- Choosing to remember passwords in browsers such as Chrome, which often in turn get synced to users’ personal online accounts without the user or management realizing the implications.
- When employees leave the company, the complete list of passwords they previously had access to rarely gets changed due to the inconvenience.
The list can go on and on. As a managed IT service provider, we get to see actions taking place in different organizations across different industries. When users are given no other viable and standardized solutions to manage their passwords, they tend to always resort to the same predictable and insecure methods.
Not only do these sticky notes and spreadsheets pose serious security concerns, they also fail to address another impact passwords have on modern businesses: a drag on productivity.
The scattered notes and files can get lost, duplicated or mixed up. The recorded passwords can get outdated. New users often struggle to find the right entries, and locked-out accounts due to excessive failed attempts are common.
The risk of breach is too high and it’s time for IT to play an active role in password management
Password-related breaches account for a large portion of today’s cyber attacks that result in real data and financial losses for businesses of all sizes. When so much sensitive data is stored in the cloud, a single breach can do serious damage.
That damage gets amplified even further when the same password is used across multiple sites (yes, the attackers will try Autumn@2019 if Summer@2019 doesn’t work). Left unattended, attacks and breaches are really a matter of when, not if.
The stake is especially high for regulated industries such as financial services and healthcare. With hefty fines alone that can reach into millions, ignoring the security of end user password management is no longer a responsible option.
As we discussed earlier, leaving password security and management in the hands of individual users simply does not work. That’s why It’s time for IT to come up with a managed solution that does the job well and is easy for users to adopt.
Let’s start with password managers.
Password managers are getting popular, but they have caveats in business settings
Most modern password manager software/services have two fundamental features: storing passwords and other secrets in an encrypted “vault” protected by a master password (with optional 2-factor/multi-factor authentication) for each authorized user; and filling the passwords into websites/applications automatically via software extensions.
Password manager software and services are not new. As a matter of fact, a quick Google search will come up with plenty of choices on the market. Some are bigger brands, some are lesser known. Some are cloud-based while others use local storage. Many tech-savvy consumers nowadays already use password managers to manage their own personal passwords.
We believe password managers are a must-have for businesses, even if only for the encrypted storage capability alone. However, to successfully utilize them in a business setting, there are some key requirements and caveats that our readers should be aware of.
1. It needs to be standardized, pre-installed and pre-configured
Simply “recommending” users to start using a password manager is not enough. The decision needs to be made by IT and management to standardize on a selected password manager and gets it deployed to every managed device. It needs to be pre-configured and ready to go. Detailed instructions and live training sessions should be provided for all users to get them started on the right track.
2. It must support central management via security policies
A password manager can act as a double-edged sword – if access to the master vault itself is compromised due to lax security standards or misconfigurations, all passwords stored in it will be gifted to the intruder.
This is why security settings for password managers must be set very high and enforced across the board for every user inside the organization via software policies – inherited settings which unauthorized users cannot override themselves. Examples include:
- Multi-factor/two-factor authentication (MFA/2FA) must be enforced for every user’s access to the password manager. We’ll discuss MFA/2FA in Part 2 of this blog post.
- Each user’s master password must be subject to very high complexity requirements, and users must be educated on what really counts as “complex” passwords. Master passwords must also be unique and not re-used elsewhere.
- Security policies such as session timeout periods, master password prompt frequencies and geo IP/network restrictions must be configured properly based on the organization’s compliance requirements, productivity impact and risk tolerance.
- Complexity requirements for underlying passwords stored in the vault should also be enforced. Users should be asked to select truly strong and unique passwords for each individual site/app now that the password manager is capable of keeping track of them and even filling them in automatically.
- In the most ideal scenario, stored app/site passwords should be randomly generated secure strings (a feature offered by many password managers) and not easily memorizable by humans. Such passwords are the most resilient to brutal force attacks. Access to these apps and services are therefore exclusively controlled via the password manager.
3. It needs to support sharing with granular control and logging
For security and accountability, password sharing should be avoided or prohibited whenever it’s possible to create individual user accounts. However, in the real world, sometimes sharing of certain account credentials may be unavoidable. A typical example would be a vendor account or a third-party service account that does not support sub-user accounts.
Without a good password manager, access control for shared credentials is quite difficult. Users often end up sharing passwords casually, or keep everything in one big spreadsheet and put it in an all-shared folder for convenience. This “all or nothing” approach to sharing is obviously very problematic, as users can easily be granted access to credentials they’re not authorized for.
Business password managers need to support individual user, group and folder based granular access control so that administrators can clearly define which users are given access to which shared credentials. The software must also be able to keep logs for each login and resource access to promote accountability and meet compliance requirements.
4. It should support selective sharing with IT administrators
Another tricky area involves sharing of passwords between users and IT administrators. Under normal circumstances, IT should not know and should not have to know users’ passwords, even though they may be able to reset them (which would be an logged action). But again, in reality, for troubleshooting and technical support purposes, password sharing with IT is sometimes unavoidable.
This an especially delicate situation with IT-managed password managers: if an IT administrator has the highest privilege in the system, does it mean he/she should be able to see every password of every user stored in the company’s password manager?
Most users, including company owners and management, would understandably prefer a “No” answer here. That’s why the password manager needs to provide a mechanism that allows users to share certain passwords with IT administrators on their own terms. Non-shared passwords should be only accessible by the users themselves.
However, we’d like to point out here that at FelinePC, we advise the users of our managed clients not to store their “personal” secrets in company password managers – credentials that have nothing to do with their jobs at the company, such as their personal banking passwords.
This is because courts in many jurisdictions have ruled that information stored in company assets belong to the company, and ultimately IT administrators or the password service providers may be able to recover information stored in the user’s account at the request of the company. To avoid any potential legal mess, keeping personal and business matters separate is the only sensible choice.
5. It requires active IT involvement from implementation to oversight
As you can see from the topics we discussed above, password managers in a business environment require hands-on IT involvement, largely due to the highly sensitive nature of the problem they’re meant to solve. “Install and forget” is not a viable option.
The implementation requires careful planning, from the choice of the application to the security policy configuration and access control design. An experienced IT department or managed IT service provider is crucial for the entire process.
After the onboarding phase ends, IT must still monitor and maintain the relevant security policies for compliance. All software and extensions must be kept up to date. As with most new technical changes and additions, some user support requests should be expected, though if properly trained from the start, most password managers should be very easy to use for end users.
A review of various password manager software or services is out of the scope of this article. The reality is that when you take account into all the requirements we mentioned above, there are not that many great options left, as lots of password managers are geared more toward individual/residential use rather than business.
At FelinePC, we deploy MyGlue as the password manager for our managed IT clients. MyGlue is not directly for sale to end user organizations. Instead, the product is part of IT Glue, an industry-leading IT documentation platform we use to maintain detailed technical documentations for our managed clients.
MyGlue is designed specifically for managed IT service providers who go the extra distance to actively help their clients with password management. It is part of the standard offerings included with our fully managed IT service plan. Live training is provided for all users during the onboarding process.
Password managers are great, but it’s not the complete answer to the password problem
When properly implemented, password managers do address a big issue: insecure storage and sharing of passwords by users using unencrypted and uncontrolled methods. Once all users in an organizations are properly onboarded, password sticky notes and spreadsheets etc should be eliminated and ideally prohibited under company policies.
However, there are more to password management than secure storage. Some examples include:
- What if we want to ensure that users log into certain websites only from authorized locations and devices? Can we prevent them from copying credentials from the password manager?
- When an employee no longer works for the company, can we disable his/her account easily without changing every password he/she previously had access to via the password manager?
- Despite best efforts to safeguard them, if a credential does end up getting stolen due to incidents such as phishing attacks, is there a fallback security mechanism to prevent unauthorized access?
- Is there a way to reduce the number of times a user has to authenticate himself/herself using master passwords and make the sign-in experience more seamless to improve productivity?
In part 2 of our blog post, we will discuss the other two important components that can significantly improve the efficiency and security of modern password management: Single-Sign-On (SSO) and Two-Factor/Multi-Factor Authentication (2FA/MFA). Please stay tuned for the update!