Passwords and password management are evergreen topics. It’s one of those things that, while everyone uses passwords, they arrive at password management in different ways and at different times. Password management can be confusing because there are so many different ways to do it.
I’ve touched on password management before. How storing them in a web browser can lead to them being exposed if someone else accesses the browser. How I prefer offline password managers over online ones.
This was top of mind recently when an online password manager was backdoored. Any password management tool you use requires you to rely on the tool being untouchable. In my mind, using any online password manager means that anyone with internet could potentially touch it. In this case, where the software itself was tampered with, you wouldn’t necessarily know that your passwords were at risk. That password manager’s clients have been told to reset all of their passwords.
Don’t Overthink It
You can overthink password management. While it is important to do something, you can also do too much. I was speaking to a someone recently whose company has adopted Bitwarden. Bitwarden is a server-based, open source password manager. It’s pretty slick. You can download their app and create passwords – it has a password generator built in, naturally.
It comes as an offline app. But, once created, you can choose that the passwords be stored online. More importantly, you can license the software to manage an organization. Each employee would also use Bitwarden, and you can create groups so that a password – like a database license password – can be shared and managed within a group of staff.
It’s open source, so you can download the server and run your own system. I would have clapped my hands together and said, “Great” at one time. But security and password management is hard. Even applications like email servers are usually best left in the hands of professionals. I don’t mind managing my own passwords in an offline app. But I wouldn’t have the moxie to run a password server.
Another mistake this organization is making is requiring staff to use Bitwarden solely for work-related passwords. This means that employees will need 2 password managers, where they might have been encouraged to just use the one. I suppose if you run an on-premises server, you don’t want responsibility for personal passwords. But this creates new friction.
The benefit of open source is that it’s free to acquire. But you need knowledge to run it. One obstacle this organization ran into immediately was the lack of browser integration. While Bitwarden has web browser extensions, they work with the Bitwarden online service. If you roll your own on-premises version, you appear to need to develop your own extensions.
It’s not just password management. I know of another organization that has implemented two-factor authentication (2FA) for remote desktop access (RDP). Except the two-factor prompt only happens if you access the RDP in a particular way, through a web site login. If you connect directly to the RDP server using the Windows 10 RDP client, there’s nothing but a password prompt. It’s incredibly important that organizations be realistic about the knowledge and capabilities of their IT teams. This is particularly important in light of ongoing RDP exploits.
On the spectrum of password management, this strikes me as the most complicated. Use Bitwarden, sure. But you’ll need a lot of technology know how to imitate their offering on-premises.
Keep it Simple
I was using a password manager earlier than most people in my family. So I’ve been part of the education process and also watching as organizations I’m connected to roll out security. That includes two-factor authentication. It’s been a journey.
There are so many ways to store passwords securely that there isn’t a right one. The only thing I think I’d say is a must is that the passwords be created and used offline. But from that point, there are so many choices.
Google now has a password manager that can be accessed from any web browser, which is different from just storing passwords in Google Chrome. Microsoft Edge has added one as well. Browsers are also adopting password monitoring, like Firefox’s Monitor, to warn you if the password you are using is a common one or has been found in a password dump.
This can lead to unintended consequences. We use a unique identifier for each user on one of our licensed systems. The password, for ease of getting them started, is their last name. But names can be common and we heard from one of our researchers that they had been warned by their device about using a weak password. It would be weak if the username was also knowable, which it isn’t. But it’s not always possible to allow users to change their own passwords. We’re going to alter our default password to make them stronger but still knowable to the individual researcher without having to ask a librarian.
What about just using a Word document? Microsoft Office remains the ubiquitous work horse app set for the legal market. Well, here are the U.S. Treasury’s instructions for password protecting Office documents. Office 2016 improved the encryption used on the files and is considered secure.
One person in our family uses an offline Word document that is password protected. Another uses a browser-based password manager. Neither are what I would choose for myself but both are (a) better than nothing and (b) approaches that fit into how those people use their technology. One reason people struggle with strong passwords and other security is that it creates too much friction to do it. Too much effort, too complicated, too confusing. The best solution will be the one that is both secure and lets people get their work done.
Me, I still use KeePass although I think I’m going to give Bitwarden a look-in. I create the passwords on my desktop PC and, when I save the master password file, it is synchronized to my cloud storage. From there, I can download the password file to my portable devices. It requires more friction to use but it’s a level I’m comfortable with.