3 Tips to Secure Password Management

JL Peck CISM
Lead Consultant

Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.
— Clifford Stoll

One of the common areas we see companies and technology groups struggling to manage securely and effectively is… passwords.  We know we need them (passwords), we know they need to be “secure”, and we know they’re a pain in the neck to keep organized.  That’s exacerbated exponentially when you factor in shared passwords and accounts for teams.

Tip 1:  Quit Using Excel to Manage Your Passwords

Back in the day, before secure logins were part of routine internet use, before social media and big e-commerce, businesses had only a handful of online passwords to manage.  Naturally, Excel was one of the most obvious and easiest tools to use for tracking passwords, and everybody used it.

As time went on, the internet’s offerings evolved to provide an onslaught of services that all required individual logins to social media, online accounts, secure networks, and free email.  Many evolved their password management methods to more sophisticated tracking using a secure password management system.  However, many did not.

Here’s an example of one such company that did not evolve their password management process…

A small business – let’s call them “SeasonalAgriBusiness” — needs to use vendor websites for ordering materials and supplies, shipping products, and managing the cash flow process.  Since they’re a seasonal business they have a fairly high turnover rate, relative to most businesses, and they rely on interns and people working while going to school.  They have up to 5 people who need to access a vendor portal, and the vendor won’t provide separate accounts for every employee because of business reasons.

“But wait…” I hear you say.  “What if a seasonal employee kept the credentials to their vendor portal?  What if an employee gets let go and wants to stir up trouble?  Won’t they have easy access to disrupting their business?”  Quite right!  So how does our small biz handle this problem?

Well, when we met with them we learned that they keep track of these vendor portals using a common method… in an Excel spreadsheet kept on a shared network drive.  “But don’t worry” they said, “The spreadsheet is password protected.”

(If you winced upon reading that, or if this sounds like your business … you’re at the right blog post.)

Here are some of the risks and concerns of keeping track of passwords using a spreadsheet, or a Word document, or a text file.

  • Your password file is most likely not encrypted.
    If your password file (a Word document, Excel spreadsheet, etc) doesn’t ask for a password before you open it, it’s in “cleartext” (meaning anyone with the file can read anything that’s in it.)  The data itself is cleartext within the Excel file, and anyone could copy the file or email it to themselves for later… However, even if you are using MS Office password protection tools, read on for a huge caveat.
  • MS Office password protection & encryption are not secure.
    In the ‘before’ time, MS Office Password Protection was just that – a password on the file, not actual encryption, as the contents could be read without knowing the password.  It’s like putting a padlock on a lock-box made of plexiglass – sure, there’s a lock, but you can still see everything inside.  In recent years this has been improved to use actual encryption to cipher the file contents, but it’s still not great.   MS Office password protection is not hard for a moderately skilled technical person to crack – “Office Password Recovery Tools” are common – and it’s certainly not a challenge for a skilled network attacker to crack.  Therefore, while better than no encryption and no protection, we do not advise relying solely on standalone MS Office password protection or encryption for sensitive or protected information, especially not for a file which holds the keys to your network kingdom in the form of account and services credentials & passwords.
  • Anyone with access to the file can copy it to take with them for later use.
    Unless you’re using a file activity monitoring tool such as Varonis DatAdvantage/DatAlert or Quest’s ChangeAuditor, you won’t know who has taken or accessed the file.
  • It’s hard to track who was given access to the file; hence, all of those passwords and accounts have legs.
    If I have ten seasonal employees come work for me during the summer, and over time five of them needed to use the accounts kept in the Excel password list, will I remember who I approved and who I didn’t?
  • Password changes are rarely part of off-boarding procedures.
    If my business has to let someone go during the busy-season, am I going to remember they had access to the password file?  Will my HR team know to change the passwords kept in the spreadsheet?

For a small or mid-sized business (SMB), these are common problems.  And for SMBs, the impact of someone doing something nefarious with a supplier or financial account can have tremendous consequences; from financial losses by fraud or unauthorized wire transfers, to credit and reputation troubles from vendors in response to missed shipments or improperly made orders.  A small business could lose everything if the worst-case scenario occurred.

Tip 2:  Know All of Your Org’s Accounts

Your teams are likely opening up new accounts as often as the business requires – from social media to suppliers to banking services.  One department may adhere to the security policies you’ve created, while others may not understand the implications of doing things the harder (more secure) way in favor of using the methods they always have. In these situations, it’s critical to get your arms around all of the accounts your company is using, and then drill into whether the accounts have unique logins (one for each staff member), or if the team is sharing a login and password.

By following these three steps, you’ll start to get a full picture of how your org is managing passwords – and the potential downstream consequences.

  1. Start by asking each department for a full list of accounts that they manage within your company.
    Talk with your Finance team (banks, Paypal, payroll, insurance), HR (HRIS, payroll), your Sales & Marketing staff (SalesForce, advertising management), and your order processing teams (suppliers, online stores), ask them these questions:
  • What outside accounts or services do we use for our company?
  • Which of those accounts are shared between multiple employees, and which are assigned to just an individual?
  • What happens if someone loses a password? What happens if we have to let someone go who has those passwords?
  1. Make a comprehensive list of all shared accounts throughout the organization.
    Now you’ve got a list of the shared accounts, and you’ve had conversations with key employees about who uses the accounts.
  2. Detail what happens when employee turnover occurs.
    This will help you make the case for additional security policies regarding shared accounts and employee turnover. For example, what happens if someone loses a password?  What happens if the manager fires someone who has those passwords?

Now that you have identified and scoped the problem, we can move onto solutions.

Tip 3:  Know Your Password Security Options

It’s important for InfoSec professionals to address the challenges that go along with managing passwords for a team or organization, as well as some of the risks.

If you know you’ve got a problem, you’re more likely to want to fix it and close that risk.  There are three primary options for consideration.

Option 1) Do Nothing

Doing Nothing is always an option.  You may decide you like having your passwords stored in cleartext on your network, you may decide you’re OK not knowing who has access to them or who made changes when; and you might accept the risk that someone can download your password list and take it home without leaving a trace.  Thought we don’t recommend it, it’s always a consideration.

Option 2) Use a Lightweight and Free Password Manager

There are some great free or open source (FOSS) password management solutions, including KeePass and Bruce Schneier’s “Password Safe”.  If you have budget constraints, or don’t have the technical resources to install a large client/server application and database, then one of these solutions is a great middle ground.  Since KeePass is a common choice, we’ll focus on it for our purposes today, but the alternatives function similarly.  Here’s how they work:

Instead of keeping an Excel spreadsheet or a Word document with a list of passwords, you use KeePass to create a new database file.  This small file, usually around a few hundred kilobytes/KB, is encrypted using a passphrase or a keyfile (a specific file on your computer or a USB drive to open the file, like a key to a padlock), and within the encrypted database are entries for your accounts, and the passwords.  It looks like this:

KeePass screenshot
PW Safe

Notice how the password is obscured, and all the information you need is there: the name of the server, the web site it uses, and the login and password.  One of the great features about KeePass is that you can copy the account password into memory (like ctrl+c) and paste it wherever you’re entering the password (ctrl+v).  This is very helpful for using complex passwords, because nobody likes typing “Nz_EH1wk;AxV5Yw” by hand.  And, after 12 seconds it will overwrite what’s in your Copy/Paste buffer, so your super-secret-complex-password isn’t going to be accidentally pasted into an email right before you hit send.

KeePass has a few other features including:

  • Mobile versions for Android & IOS,
  • Syncing between multiple devices using DropBox, FTP, and other services
  • Scheduled reminders to change or expire passwords and accounts
  • “Recycle Bin” to prevent accidental deletion

Option 3)  Use an Online Password Manager

Using an online password manager like LastPass, SecretServer Cloud, or 1Password has pros and cons which you should weigh before you commit long-term or move all your credentials to them.

PROS:

  • Rapid setup and deployment
    You do not need to build a server, install the application, run updates regularly, etc.  They do all the hard work, you just log in and use it.
  • Named, multi-user account options
    Where a single Excel or Word file and KeePass won’t know or usefully track who is opening the file or making a change to a password, online password managers let you create accounts for Employee A, Employee B, and all access events and changes to stored passwords are logged.  If someone changes your banking password in the database, you’ll know when it happened and which account was used.
  • Browser plugins to AutoFill Passwords
    For websites you log into frequently, such as social media, banking and finance, or internal company applications, the browser plugins let you conveniently retrieve and enter the username and password, often by doing it all for you.  Just point and click.
  • Reminders and alerts
    Many systems will update you when an account hasn’t had the password changed in a certain time period – 90 days, for example.  This can be convenient if you or your team need a tickler or reminder to update a password or set up an account.

These are great features and functionality which can save you and your team a lot of time and headache, and provide you assurance and traceability (named accounts, for instance.)  But there are some drawbacks to using an online password manager which you should also take into account before committing to purchase.

CONS:

  • You need to be online
    Online password managers require internet access at minimum for the first login, and many have a cached or offline mode.  But for companies or employees with not-awesome internet connections, or if you travel frequently and don’t have reliable cellular internet, getting locked out could mean needing to have internet access to get logged in again, just to retrieve a password to a program or file on your computer or network.  For some people, that could be a work-stoppage, or just frustrating.
  • You’re relying on the service provider for uptime
    A technical problem beyond your control, for instance a down web site or cloud service, or a problem at the service provider’s ISP, could translate to you not being able to access your credentials for a while.  Your business may carry on if you can’t post on social media that morning, but any time-sensitive or urgent business tasks would likely be negatively impacted, such as payroll processing which requires a login to your payroll provider, or approving incoming sales orders through SalesForce for instance.
  • You’re relying on the service provider for security
    Security is their business, and if you’re a paying customer you probably feel good knowing that the products put out by security-related software companies are failproof, hackerproof, and future-proof.  That’s not always the case.  Software and infrastructure are complex systems with numerous points of security vulnerabilities, all beyond your control – and they don’t like to post audit reports and deficiency findings.  There have been several known instances of major online password managers and their browser plugins having security vulnerabilities or even compromises.  Sometimes this can lead to someone having gained access to your passwords and account information.

Option 4)  Built-in Browser Password Safes

Most browsers – like Google’s Chrome, Mozilla’s Firefox, and Microsoft’s Internet Explorer – have a built-in function for storing passwords to web sites, email and personal data, and credit cards.  These can be good middle-of-the-road solutions for individuals and small teams sharing a private computer.  They store passwords in a generally secure manner, but could allow anyone with access to the computer to use the credentials or credit card numbers that are kept.

One other concern that is mostly academic (for now) is that malicious websites or browser plugins could get access to your browser-stored password data.   At the rate of browser vulnerabilities being discovered and exploited, and the challenges and delays many people and organizations encounter in keeping their browsers and software patched, it’s a potentially higher-risk choice than a password database or a hosted password management server.

If your employees access internet services from a shared computer, or your individual employees don’t need to share web account passwords, using your browser’s built-in password manager could be a good mid-level choice.

PROS:

  • Built in functions of browser software you’re probably already using
  • Lets you fill in login credentials, personal information, and credit card information
  • Some browsers will sync saved passwords across devices, if you sign in using a profile in your browser

CONS:

  • Anyone who uses the browser has access to the passwords
  • Browsers have vulnerabilities too!
  • A malicious website could use a browser vulnerability to access your built-in password database

Key Takeaways for Risk Managers

The key takeaways here include the following:

  1. Don’t keep passwords and credentials in notepad files, memos on a phone, or Word or Excel documents, etc.
    • Even encrypted, Office files are not hard for an attacker to crack
  2. Plaintext password files (like notepad documents or Word/Excel files, even if encrypted) don’t provide an audit trail of who opened the file, changed a password, or who downloaded the file for later or offline use
  3. A password manager application safeguards your credentials in an encrypted file/database or in a cloud service. Neither are 100% secure, but both are better than a text document.
  4. Online password managers are convenient but have benefits and risks, including potential vulnerabilities and uptime issues that will be beyond your control. Weigh these options – and the risks – carefully before committing to a service, especially with long-term contracts.