Leave a reply
As a long time sysadmin I have to admit password management has always been one of the more annoying aspects of my job. From both the perspective of IT security, and from the end user experience.
One other huge advantage to having a password management system. All passwords are located in an organized way. During the recent Heartbleed Vulnerability this made changing all of my passwords much easier. I could walk through each login one by one, and make the changes I wanted. A very simple advantage over trying to remember all the sites I visit.
ADMINistrative Nightmare
In my case, it always been my battle against using single passwords, to make the job easier, vs using multiple passwords, to make everything more secure. In the end it was a one sided battle, security being first. However this created a large number of passwords. Imagine multiple sites, multiple admins, multiple devices. At this stage I have 300 odd passwords and a number of admins to share with.
End Users
I try to educate my users on creating complex passwords. This is not what this article is about so I won’t dive in, but there are lots of ways to create complex passwords that are reasonably easy to remember.
However nothing irks me more than that one user (there is always at least one) that outright refuses to work within the rules of the system. They just can’t figure it out. Even when you teach them formula based passwords, pass-phrases, random words, alpha numeric. If the password isn’t 1234. They just can’t remember it.
If that password also changes every 30 to 90 days, we have some serious issues.
These users are also likely the ones that have their accounts and identities stolen most often. That is just my guess though.
Password Management – Not so great solutions
Sticky notes on monitorsPassword Security at its worst
Paper stuck to the bottom of your keyboard (seriously, its the first place someone would look)
Random paper in drawer
Using the same password for every site on the planet, from banking (hopefully secure) to that parenting site with no encryption.
Text files, spreadsheets, random files on cloud base file sharing (dropbox, google drive etc)
Tattooed on your forearm
Any slew of places that make your passwords easy to get for public consumption
What about those times you need to share passwords
Email
Share your entire document
Make another sticky note that you pass off
Message tube
Password Management – Solutions
At this stage, I am going to add some caveats to all suggestions for password management moving forwards.
There are a lot of options when it comes to password management. I am going to showcase one which I use actively for myself.Password Manager
These fit my needs at the time, this niche has grown quite a bit so there are lot of contenders these days
Keeping all of your passwords in the cloud leaves security out of your control. Ensure you protect your information to the maximum and understand how and where your passwords are stored. This helps build the next point
You need to trust the company but also weigh the security vs your need to manage passwords. Both of these are well encrypted & use 2 factor authentication
I am looking at this from a password sharing, enterprise admin position. Both have free tiers that work well for the average end user however that wasn’t my focus.
I had a list of requirements.
High level of encryption
Easy to share internationally without a unified or central file sharing system
Enterprise type option that allows for users and user management
Price
Password Manager
I didn’t put together a large matrix comparing products. I did some reading, looked at reviews, tried some of the open source products (free) and decided I just didn’t like the concept of an encrypted local DB. It didn’t suit some of my needs and the annoyance of trying to share internationally and manage the software made it unwieldy.
That left me, at the time, with two product. Lastpass and Passpack. I ended up selecting Passpack strictly on price. A number of the features of Lastpass were better than the features of Passpack. However these weren’t features I was interested in at the time.
Feature Comparisson
Feature PassPack LastPass
Two Factor x
Security Alerts x x
Mobile App x
Desktop App x
Browser Based x x
Audit x
Generates Password x x
Disposable Logins x
Form creation for auto fill x
User or Share management x x
SSO x
Pricing Comparrison (per year cost)
User Count Passpack Lastpass
3 $18 $72
15 $48 $360
80 $144 $1920
As you can see, you get more features with Lastpass, but at a higher cost. As it scales up, it doesn’t really get much cheaper. This was a large barrier for me for multiple users.
Passpack
So now I will break this down into a pros and cons. Since I use Passpack as my password management product daily I figure I would keep this section simple. Pros and Cons.
Pros
Being able to view password history has been a lifesaver
Encrypted passwords and notes makes for 2 great spots to store information
Sharing a password has been very handy. Sending passwords over email is always a risk, this makes sending passwords to non-users quite slick
Disposable logins and random password generator have been useful when signing up to sites where I don’t plan to go back or for testing purposes
Passpack It! – Simple button on the browser that allows for a single click login to your sites.
Cons
It is only browser based. So many times I wish I could have an app of any kind to use. Just something simple that allows me to use the power of a password manager on my phone, mac or desktop. Heck sometimes I am just not online. The current desktop app feels like a cheap work around. They do however have big plans for 2014 which I am anxiously waiting on.
I love how I can organize my passwords, but I can’t share based on that organization.
Summary
This post was not about how to create passwords. It also really wasn’t about a specific product. What I really wanted to show was an easy way to manage passwords in an efficient manner.
If you
Struggle to remember passwords
Struggle to make complex passwords
Use single passwords for every site (secure or otherwise)
Want disposable logins/password combinations for privacy purposes
Then I do believe a password management program could be in your future. There are more benefits then negatives.
In fact in researching this article I found many highly recommended products. Here is a short list
Password Management Cost
Dashlane Free or 29.99
Passpack Free or Many options
Lastpass 12$ per year
RoboForm 10$ per year