Many businesses must comply with some sort of federal mandate in regards to securing their customer or patient’s information. These rules while extensive are very helpful in maintaining the security of your network. Below is the standard policy surrounding password management. We offer some solutions below the “Password Management Policy” section for your team to maintain compliance. Unfortunately, there is no way of enforcing these rules unless you are using a centralized management system for authentication like traditional AD or Azure AD. Read more about “password management policy” in the section further down below. For those of you trying to establish a password management system for your personal life or your organization, it is important to know not all password management systems are created equally. Here are a couple we recommend for very different reasons.
Do you have a Managed Service Provider?
Your IT team should have a documentation system and password management system for storing all your passwords and documents. This is is a quick way to establish a collaborative portal for sharing sensitive information rather than a clear text word document. Clear texts documents and spreadsheets are simply a recipe for disaster. Again, defer to the Password Management Policy for meeting federal guideline and avoiding a catastrophic situation.
What is the most ideal password manager?
Bitwarden for the win. We mention Keepass below but that is not ideal for the general public.
BitWarden Basic Free Account
This free account is not secure out of the box. A master password that is not your generic go to password but actually that contain password complexity and must be memorable. Use it once. Use it as your master password for BitWarden.
How do I secure my all my user account password?
Every password must be unique. I repeat, no user account created on the web, in the business world, on the computer, at home, wherever… must be unique. The struggle of course is trying to remember on the fly. The flexibility of download and installing the Bitwarden application for your desktop computer and phone should place those fears at bay. Just copy and paste the passwords that was computer generated through the Bitwarden application for whenever you are prompted on the phone or the computer for that particular password.
Anything else?
Yes, you must enable MFA (Multi Factor Authentication) for Bitwarden. This will allow an extra level of security necessary for today’s internet. Here are the choices.
- Microsoft Authenticator (Use this if using Microsoft 365)
- Google Authenticator (Popular but I personally am not a fan)
- Authy (It syncs with your desktop but a novice user struggles with it)Please establish your go to multi factory authentication program. Do not forget the master password and store the backup codes.
Keepass Pro
We suggest Keepass Pro for a free password manager several years ago. Skip pass this section down to password policy to fully understand how to maintain proper password management.
While Keepass Pro is still very much in use because of it’s flexibility, it should not be use by the general public unless you know what you are doing. Make sure the password file is constantly being backed up and don’t forget the master password!!!
The Non Web Dependent Platform for Securing Your Passwords
There are plenty out there but one we have seen that is not heavily marketed or maintains a low profile in the market place. It is secure and is pretty easy to use. This management program we recommend is Keepass. The Mac version that we recommend is Keepass X.
Keepass Illustration Tip For Mac
Keepass Illustration for PC
Keepass database file for Acme Widgets Inc
The individual or organization maintains their own copy called AcmePersonal. Acme Widgets Inc. should simply request a updated database file emailed to them from time to time. This database file is also known as the KDBX file.
How Do I View Passwords on My Phone
Use a cloud based app in conjunction with Keepass
See OneDrive, Synology Drive, Google Drive, DropBox, etc
Your IT Guy
They maintain a database file called AcmeIT or whatever name that will differentiate one database file from another.
Two Database Files for Keeping Passwords Safe
The IT guy maintains their own and you defer to your own for your own personal updates. The two files can’t sync or merge but hey, it’s free; and people like it. Again, have your IT guy email the latest and greatest database file. Then save over the old IT database file.
The Do’s and Don’t(s) of Password Management
- Do keep meticulous notes
- Don’t have old notes lingering as if they are current. Place a Zzz to note they may be somewhat relevant but otherwise inactive.
Password Management Policy
Policy: We require the following password and credential management:
- All passwords must be changed at least once every 90 days.
- All production system-level passwords must be part of the Security Officer’s administered global password management database.
- User accounts that have system-level privileges granted through group memberships or programs must have a unique password from all other accounts held by that user.
Users must select strong passwords. Strong passwords have the following characteristics:
- Be at least eight characters in length
- Be a mixture of letters and numbers
- Be changed at least every 90 days
- Be different from the previous 6 passwords
- Not contain the user’s userid
- Passwords must not be inserted into email messages or other forms of electronic communication.
Note that poor, weak passwords have the following characteristics:
- The password contains less than six characters
- The password is a word found in a dictionary (English or foreign)
- The password is a common usage word such as:
- Names of family, pets, friends, co-workers, fantasy characters, and so on
- Computer terms and names, commands, sites, companies, hardware, software
- Birthdays and other personal information such as addresses and phone numbers
- Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, and so on
- Any of the above spelled backwards
- Any of the above preceded or followed by a digit (for example, secret1, 1secret)
Further, systems that authenticate must require passwords of users and must block access to accounts if more than three unsuccessful attempts are made.
Members of the workforce must follow these guidelines for passwords:
- Don’t reveal a password over the phone to ANYONE
- Don’t reveal a password in an e-mail message
- Don’t talk about a password in front of others
- Don’t hint at the format of a password, like, “my family name”
- Don’t reveal a password on questionnaires or security forms
- Don’t share a password with family members
- Don’t reveal a password to co-workers
- Don’t ‘hide’ a password within view at your work area, on a badge, or under a mouse pad or keyboard”
Password Management Q&A
You now know a business needs a password policy for it to maintain compliance but password management could be very beneficial in so many other ways. Ask yourself… “Do I have plenty of passwords to sites, subscriptions, bank accounts, and computers? Do I struggle to keep up with all the passwords that are associated with my life or business?” The answer is most likely is yes unless you are completely off the grid living the lifestyle of a hermit.
More and more passwords and sensitive information related to those password credentials are accumulated as your digital foot print increases. How can you be so sure that the platform you use is the most ideal and secure way for accessing your sensitive information? There is no silver bullet for secured password management but we can discuss a lot of do’s and don’ts of password management.
Password Management Personalities
- The pen and paper individual
- This is the most common way. The paper typically gets lost and the notes on the paper become disorienting and nonsensical. However, some people simply don’t use the computer enough or establish a proper workflow with the computer. And therefore, the issues with using paper become just as bad in the digital world.
- Recommendation: Pray for this person. Document your own passwords if you work with them because this person is absolutely not dependable for password management.
- Word or Google Doc individual
- This is the second most common method for password management. I’ve seen a lot of people that use this method religiously but this workflow is a welcome mat for hackers to wreak havoc on your life.
- Recommendation: Find a secured password management system. We recommend a not as common platform. Perhaps, non web dependent platform would give me a more warm fuzzy feeling of privacy and security.
- The Phone App Password Management Program
- This method is gaining a lot of momentum but with convenience, comes more security issues.
- Recommendation: We recommend a not as common platform. Perhaps, non web dependent platform would give me a more warm fuzzy feeling of privacy and security.
- This method is gaining a lot of momentum but with convenience, comes more security issues.
- This is the second most common method for password management. I’ve seen a lot of people that use this method religiously but this workflow is a welcome mat for hackers to wreak havoc on your life.
- This is the most common way. The paper typically gets lost and the notes on the paper become disorienting and nonsensical. However, some people simply don’t use the computer enough or establish a proper workflow with the computer. And therefore, the issues with using paper become just as bad in the digital world.
Password Management Policy Summary
Password management is not good for compliance but a healthy preventive measure against breaches of security.
