Let's have a password discussion once again. We all know the problem: multiple special characters, longer is better, avoid dictionary words, etc... As a result, many of us have opted for password managers such a Lastpass, Dash Lane, or 1password to manage the multitude of credentials we must use on a daily basis. My question is: do your organization's controls cover the use of these third party password managers?
Institutions, no matter their size, should seriously investigate their personnel's use of these password managers. We routinely encounter customers whose IT staff utilize such services but not always at the enterprise level. Even if your institution is currently using an enterprise option, it would be advantageous to ensure policies cover the following: controls utilized by the password manager, mixing of personal and professional credentials by your employees and post-employment access.
Look into the access controls available via the password managers. Employees should enable the strictest levels of authentication possible. Enable two-factor authentication, require the password manager to auto logoff within an hour, and restrict access to trusted devices and IP lists/regions. Additionally, just like any password, require the change of master passwords every 90 days, at a maximum. These basic controls can mitigate the risk involved with having so many credentials located in one place. These managers often refer to our credential lists as 'vaults' – we should treat them that way.
Another basic control we can implement is the separation of personal and professional managers . Many, if not all, password managers utilize browser plugins and mobile applications to access the vaults. If mixing of personal and professional managers is allowed, every time your employee logs into their social media, webmail or banking account via the manager, they also unlock your insitution's credentials as well. The controls mentioned above help mitigate the dangers of mixing accounts but ideally your employees personal credentials will be separated from their professional. Additionally, this prevents the password manager, with the keys to your organization, from being accessed from a personal device with little or no controls in place. Employees should clearly understand that this password vault is a company resource not a personal one.
Separation of accounts also alleviates the work involved when employees leave. It is difficult to maintain an inventory of every account your employees accessed over their employment term. Access to their password manager assists in resetting critical credentials that may have otherwise been overlooked. Employees who use password managers should have their master passwords on file securely. If storing the master password makes them uneasy then accounts should be tied directly to their employee email. After a termination, their master password should be reset via the manager's password recovery option immediately.
Password managers are incredibly useful tools that make our login burdens much easier. We are blessed with randomized 20 character passwords that we no longer must remember. However, it feels like we are damming a river. Placing the massive potential of all those credentials behind one master password and the trust in our third party vendor. So, investigate who is using these managers and identify any policies or controls that need to be put in place. If you find that a significant number of your employees are using these or similar services then enterprise options should be explored. Many of the risks addressed in this brief review are addressed by enterprise level password managers.