Home » Data Management

Password Management Strategies

Posted 3 Mar 2010 | Comments Off on Password Management Strategies | 1,822 views

The best password management strategies start with good policy. Everyone who uses a password to gain access to restricted resources needs to understand the responsibility and stewardship that they inherit when they keep passwords. Be sure that password policies are well documented, and that everyone knows what they are. Avoid the I-did-not-know-that-my-username-is-not-a-good-password moment altogether.

The task of keeping track of multiple complex passwords is more difficult. It might be easy for a staff member to remember a few passwords, but hundreds of them would be a challenge. The simple choice to write them down or put them in an Excel spreadsheet introduces many other problems. Do not do this! A better solution is to use a password management tool. For an individual or small company, applications such as KeePassKeePassXSplashID, or 1Password will work fine. Larger organizations will need something like Password Manager Pro, which has more features suitable for enterprise use. For this article, we’ll be covering strategies for smaller organizations.

When comparing tools, encrypted password storage is a requirement. No password should be stored in plain text in a flat file or database. Strong encryption is a must to prevent immediate access to the passwords. It is possible that someone could attempt to brute force the password if they managed to get access to the file. A strongly encrypted file will delay an attacker long enough to change all the passwords. Also avoid plain text CSV or XML exports. A stolen laptop or lost phone full of plain text passwords is a gold mine for an attacker.

If passwords will be shared among teams, make sure that you have a secure channel for distributing passwords. It’s not always possible for someone to walk around and tell everyone the new password they just set. In a small office, team members might be able to refresh their passwords from a TrueCrypt secured USB drive stored in a secure location. This model would provide three layers of security: 1) physical access limitations, 2) TrueCrypt security, and 3) the password on the repository itself. For remote offices, a secure network file store accessible via HTTPS or SFTP is a good option. Of course, make sure that the file store requires authentication and is not a shared resource. Do not push your passwords up to your ISP’s shared web server.

The password manager should also support multiple platforms and  mobile devices. Make sure that the chosen password tool runs on all of the platforms that are used by your team. In some cases, this may quickly eliminate some applications if they do not support your operating system of choice. Finding the right application might be easier when looking at commercial vendors, but open source applications do exist. Do not make a decision based solely on claims of military strength encryption. Respectable password management tools will use published well analyzed encryption methods such as AES or Blowfish.

Once a tool is chosen, make sure that everyone knows how to use the tool and then start collecting passwords. If you need to, hash out all the what-if scenerios with your team. No scenerio should be a justification not to use a password manager. It’s justification to be able to change them quickly!

Comments are closed.