Nine Steps to a Better Password Management

Passwords remind me a bit of the Coyote. Not the one that chases the Road Runner, but the one that lives in my native South-West and howls at the moon. No matter how hard humans have tried to get rid of it, it hangs in there, and in most cases, even manages to gain ground back.

Why do I compare passwords to the Coyote? For years now they’ve been saying it was heading for extinction and here we are, years later, it’s still hanging in there. Somehow, I suspect they’ll be with us for a long time to come. And as long as we still have them out there, people will continue to abuse them.

I suppose I don’t need to point to much further than a video floating around the Internet of an employee being interviewed on French TV5 Monde and right on the background, taped to the wall, is a list of passwords (and you thought you had it rough with people taping them under their keyboard).  And after years and years, the most popular password out there is still “Password”.

We can try and try: by GPO implementation and talking to people. But all we end up with is the realization that we might be able to build a fool proof system, but we can’t build a damn-fool proof system. And we’ll still see people making passwords that match someone’s birthday or address and taping them in a place for the world to see.

Why? People are weak. We have so many passwords, that keeping track of them is difficult. We write them down, and we paste them under the keyboard, and we continue to be our own worst enemy.

How do we fix it?  Well, the answer is in this little story. Years ago I encountered a very dynamic preacher, and we got to talking. I asked him how it was that people changed, and he rocked back a bit, narrowed his eyes, and said, “Son, if you want to take an old bone away from a dog without getting bit, you’d better offer him a steak in its place.”

We want to take their piece of paper away and have them play nice. Problem is that unless we give them a secure tools to keep the passwords, they’ll continue to use their post-it notes, and keep putting them under their keyboards.

Strangely, there are tons of password management tools out there that will help us. We call them password managers and a simple internet search will give you at least a dozen, just on the first try. Some cost money, others are free. Some are meant for a single user on one system; others are network based and can serve hundreds of users. Some you might already have and not even know it (a lot of cloud services provide this as part of service).

What do you look for in a password manager?

1. Supported platforms. It can be the best manager in the world, but if it only runs on Linux and you’re a Windows house, it isn’t going to do you much good. Also, how you access it is important. Is it compatible with IE and Firefox, or does it just work with Chrome?

2. Storage capability. The idea behind a password vault is to provide your users with a nice, encrypted site to stash their passwords away in. But it’s also a great place to put important documents, notes, and so forth. I know some folks who keep scans of their social security cards and passports. While it’s not a substitute for full disk encryption, it is better than just leaving them out in the open.

3. Recording of usernames and passwords for certain sites. A nice feature, and possibly one that can bite you, but one that might endear itself to your users.

4. Storing certain kinds of passwords. Some will only play nice with Active Directory, some will let you record almost anything into them.

5. Reminding questions. Everyone forgets things, and we still need something to allow them access the vault in case they forget, or at least reset the password, or give them a reminder.

6. Password generators. For users, it’s a waste. For service accounts . . . Priceless.

7. Dual authentication. A card token and a password – great. A password and a question – slightly better than useless.

8. Self-securing. While I’m sure these folks always double check their house door when they leave in the morning, they won’t hesitate to leave a site open. Since this has everything and then some, we might want it to close after a certain amount of time.

9. Managable. Letting folks choose their own tools is OK, but then you end up supporting something you might know nothing about. An enterprise-based managing tool is best, and it also levels the playing field for everyone.

Richard is a freelance IT consultant, a blogger, and a teacher for Saisoft where he teaches VMware Administration, Citrix XenApp, Disaster Planning and Recovery for IT, and Comptia Server+