Password Management in the Cloud Age
Thursday October 29, 2020
If you can remember back to the days of computers before the internet, you probably only had 1 or 2 passwords. Maybe one to get into your work computer, and – if you were being hyper secure – maybe one on your accounting program. That was it. Even in the days after the internet, but before cloud computing, even a techie probably had less than a dozen passwords to remember.
But with the explosion of cloud services, the number of passwords has also exploded. Between home, work, banks, credit cards, insurance companies, social media, streaming services, music services, etc., the average person is probably well north of 2 dozen passwords. To compound the issue, any security professional will tell you these passwords should all be complex, different, and probably even supplemented up with a good multi-factor authentication app.
For many home users, they still keep their passwords written on a piece of paper in their desk. This actually has a couple basic advantages. It can’t be hacked as it isn’t electronic, and someone has to actually break into the house and find the physical copy. But after that, it’s all downhill. If somebody does take it, not only does the thief have all your passwords, but the user probably doesn’t (no backup copy). Likewise, if the paper gets wet, eaten, or tossed out, the passwords are equally lost. Moreover, updating them overtime creates a messy – and possibly illegible - sheet.
The next step up is probably an encrypted word or excel document. It’s not on the cloud so a data breach isn’t going to leak the passwords (unless it’s the PC that is breached). Even if it is, the encryption should stop most access as long as it was encrypted with a reasonably complex password. Additionally, if the PC is being backed up, there should be a backup copy in case it is accidently deleted or overwritten. But accessing it can be a pain, especially when the user is not near your computer. Even with it, the user still has to bring up the document and enter the password manually each time it is needed.
To deal with all these issues a whole new generation of cloud-based password management systems have sprung up. They do much more than just record your password. They will automatically fill in your passwords on web sites, prompt you for security weaknesses, and allow you to share individual passwords as needed. You log into these systems with a Master Password, and possibly (hopefully!) a multi-factor authentications code.
When looking at a password management system, you want to look for 2 key features: Single Sign-On (SSO) and password database. Surprisingly, it’s hard to find systems that offer both of these, but there is great synergy when they do.
In an SSO system, it uses a backend authentication system based on a protocol called SAML that allows other applications to trust the system you are using. In effect the application says, “I trust the system you are using, so if it says it is you, based on the information it provided, I’m going to believe it and log you in without typing in a password.” (OK, it’s more complex than that, but you get the drift). Once you type in your master password, you can access all the applications that trust your system without entering further usernames and passwords.
A password database is just that: it keeps a record of your username and passwords. This is important for cases where you need to record a password for something that doesn’t have a SSO SAML backend (e.g. the combination to you document lockbox, or a simplistic website). However, most password management systems do much more with that database. Using a web browser extension, you can train it to enter the username and password whenever you access a particular site. Hence, you only need to enter your username and password to a site once and have the password management system record the entry. The next time you go to that site, it will automatically fill in your username and password, saving you the time of looking up or even typing the username/password.
There are several good password management systems out there. LastPass, Passpack, Keeper, 1Password are but a few of a very packed field.
At SpotLink, we use LastPass because it is well suited to handle the thousands of passwords we handle, as well as offers both Single Sign-On and password database features. Moreover, we can also provide this system to our clients to link our password database with theirs (but only what each party want to share) so we both have up-to-date passwords for our shared usage.
If you are interested in password management system for your business, just reach out to us and we can go over the advantages for your specific business.