As part of your job you have privileged access to other people’s protected information. It is partially your responsibility to ensure that when your username is used to access an application or system, that it is really you who is requesting access. By using a password that only you know, you are proving that you are you. Since most people cannot remember a multitude of long/complex passwords, we can allow a password manager to do the work for us. An extra perk is that these solutions can help give us back all the time we spend on Forgot My Password screens and phone calls to IT for a password reset. We can reinvest that extra time back into supporting our clients.
Poor Password Management Habits
HABIT: “I always write my password down on a sticky note under my keyboard. It would be very difficult for a hacker to get into my office.”
ISSUE: Cleaning staff, building maintenance staff, or even well-meaning coworkers could use your credentials to access systems that they normally wouldn’t have access to.
HABIT: “I use the same password for everything. It’s very complex!”
ISSUE: The problem with this is that your password could be stolen from any one of the services you use it with. Attackers will routinely try to use stolen usernames and passwords on other sites to gain access.
HABIT: “I save all my passwords in Chrome and they’re backed up to my personal Google account.”
ISSUE: Google Chrome is much more secure with saved passwords than it used to be. However, someone with access to your Google account could obtain your Chrome saved passwords. Did you forget to log out of Gmail on the hotel business computer? When using a service with wide offerings such as Google it can be hard to remember that your passwords are stored there and access to that account needs to be handled carefully.
Ideal Password Management Habits
HABIT: “I create different passwords for every service I use. They are long and complex and I’m able to remember all of them!” While this is an ideal method, very few people would be able achieve this.
HABIT: “I used a password manager to generate and store all of my passwords. The only password I need to remember is the password to access my password manager.” Password managers can be a very efficient and secure method to store your passwords.
Password Managers: What It Is & Why You Need It
A Password Manager is an application where you create entries to store your username, password, and any other relevant information that you would use to access a website, application, or other system. Let’s say your company has setup a new DropBox account for you. You can open your password manager and create a new entry for DropBox. You’ll enter the username you created for the service, then have the password manager generate a password for you. Then you copy that password and paste it into the proper fields during the setup.
Most times when using a password manager, you will not even know what the password is that you are using. By having the password manager generate and store passwords for you, you can use longer, more complex, and ultimately more secure passwords. Think about it this way, would you build a lock for your front door or would you get a professionally made lock?
There are many password manager applications and services available. Before selecting a password manager, consider these questions:
- Is the company providing the software/service known for providing secure solutions?
- Does my IT department already have an approved password manager I should use?
Two Main Types of Password Managers:
1) A cloud-based service such as LastPass or 1Password. These services are very easy to use and convenient. The service will store your passwords in their cloud so you can access your account from any number of devices. These services also have browser plugins that will allow you to enter usernames and passwords directly into webpages.
2) Local applications such as KeePass or Password Safe. These applications require a little more work and technical know-how to use. You install the application directly to your computer and your passwords are only stored on that device. Ultimately, they provide the same functionality as the cloud-based services. Typically, these applications are lower cost or even free and they offer advanced security features that experienced users could take advantage of.
Ian Beatty is the IT Systems Architect at MediSked, LLC. He has worked many IT positions over his 15+ year career. Ian brings an abundance of experience from his time working with MSPs, Provider Agencies, and HealthIT focused software development firms.