Password Management in the Cloud Age
Thursday October 29, 2020
If you can remember back to the days of computers before the internet, you probably only had 1 or 2 passwords. Maybe one to get into your work computer, and – if you were being hyper secure – maybe one on your accounting program. That was it. Even in the days after the internet, but before cloud computing, even a techie probably had less than a dozen passwords to remember.
But with the explosion of cloud services, the number of passwords has also exploded. Between home, work, banks, credit cards, insurance companies, social media, streaming services, music services, etc., the average person is probably well north of 2 dozen passwords. To compound the issue, any security professional will tell you these passwords should all be complex, different, and probably even supplemented up with a good multi-factor authentication app.
For many home users, they still keep their passwords written on a piece of paper in their desk. This actually has a couple basic advantages. It can’t be hacked as it isn’t electronic, and someone has to actually break into the house and find the physical copy. But after that, it’s all downhill. If somebody does take it, not only does the thief have all your passwords, but the user probably doesn’t (no backup copy). Likewise, if the paper gets wet, eaten, or tossed out, the passwords are equally lost. Moreover, updating them overtime creates a messy – and possibly illegible - sheet.
The next step up is probably an encrypted word or excel document. It’s not on the cloud so a data breach isn’t going to leak the passwords (unless it’s the PC that is breached). Even if it is, the encryption should stop most access as long as it was encrypted with a reasonably complex password. Additionally, if the PC is being backed up, there should be a backup copy in case it is accidently deleted or overwritten. But accessing it can be a pain, especially when the user is not near your computer. Even with it, the user still has to bring up the document and enter the password manually each time it is needed.
To deal with all these issues a whole new generation of cloud-based password management systems have sprung up. They do much more than just record your password. They will automatically fill in your passwords on web sites, prompt you for security weaknesses, and allow you to share individual passwords as needed. You log into these systems with a Master Password, and possibly (hopefully!) a multi-factor authentications code.
When looking at a password management system, you want to look for 2 key features: Single Sign-On (SSO) and password database. Surprisingly, it’s hard to find systems that offer both of these, but there is great synergy when they do.
In an SSO system, it uses a backend authentication system based on a protocol called SAML that allows other applications to trust the system you are using. In effect the application says, “I trust the system you are using, so if it says it is you, based on the information it provided, I’m going to believe it and log you in without typing in a password.” (OK, it’s more complex than that, but you get the drift). Once you type in your master password, you can access all the applications that trust your system without entering further usernames and passwords.
A password database is just that: it keeps a record of your username and passwords. This is important for cases where you need to record a password for something that doesn’t have a SSO SAML backend (e.g. the combination to you document lockbox, or a simplistic website). However, most password management systems do much more with that database. Using a web browser extension, you can train it to enter the username and password whenever you access a particular site. Hence, you only need to enter your username and password to a site once and have the password management system record the entry. The next time you go to that site, it will automatically fill in your username and password, saving you the time of looking up or even typing the username/password.
There are several good password management systems out there. LastPass, Passpack, Keeper, 1Password are but a few of a very packed field.
At SpotLink, we use LastPass because it is well suited to handle the thousands of passwords we handle, as well as offers both Single Sign-On and password database features. Moreover, we can also provide this system to our clients to link our password database with theirs (but only what each party want to share) so we both have up-to-date passwords for our shared usage.
If you are interested in password management system for your business, just reach out to us and we can go over the advantages for your specific business.
Service was prompt and the potential high risk threat was quickly neutralized.
Kyle is kind to explain tech talk to someone who can't. I appreciate Bob and Kyle's prompt attention in keeping my business running at full speed, SPOTLINK IS AWESOME!!
Really really appreciate the proactive effort on your part. Thank you for keeping our stuff safe!
I appreciate the fast response to my request. I feel much better now, knowing my files will be backed up regularly.
Thanks so much!
Always appreciate the professionalism and knowledgeable people at SpotLink who are so good at what they do!
Never enjoyed better support for my 15 year old business! Thanks Spotlink!
Appreciate your professionalism and dedication.
We are very satisfied with the service that Spotlink has always offered us. both the person who answers the phone and the technicians who assist us are always very professional. In specific Patrick has always been very efficient and knows our system and facilities very well.
Always a pleasure working with Vince. He is very conscientious and makes sure things are complete and working correctly.
Vince is great! Comprehensive review, providing solutions and alternatives. Thanks Spotlink!
The partnership and speed on this project represented exceptional collaboration.
Quick response, especially during the Holiday Season, for a lower priority item.