Many businesses must comply with some sort of federal mandate in regards to securing their customer or patient’s information. These rules while extensive are very helpful in maintaining the security of your network. Below is the standard policy surrounding password management. We offer some solutions below the “Password Management Policy” section for your team to maintain compliance. Unfortunately, there is no way of enforcing these rules unless you are using a centralized management system for authentication like traditional AD or Azure AD. Read more about “password management policy” in the section further down below. For those of you trying to establish a password management system for your personal life or your organization, it is important to know not all password management systems are created equally. Here are a couple we recommend for very different reasons.
Do you have a Managed Service Provider?
Your IT team should have a documentation system and password management system for storing all your passwords and documents. This is is a quick way to establish a collaborative portal for sharing sensitive information rather than a clear text word document. Clear texts documents and spreadsheets are simply a recipe for disaster. Again, defer to the Password Management Policy for meeting federal guideline and avoiding a catastrophic situation.
What is the most ideal password manager?
Bitwarden for the win. We mention Keepass below but that is not ideal for the general public.
BitWarden Basic Free Account
This free account is not secure out of the box. A master password that is not your generic go to password but actually that contain password complexity and must be memorable. Use it once. Use it as your master password for BitWarden.
How do I secure my all my user account password?
Every password must be unique. I repeat, no user account created on the web, in the business world, on the computer, at home, wherever… must be unique. The struggle of course is trying to remember on the fly. The flexibility of download and installing the Bitwarden application for your desktop computer and phone should place those fears at bay. Just copy and paste the passwords that was computer generated through the Bitwarden application for whenever you are prompted on the phone or the computer for that particular password.
Yes, you must enable MFA (Multi Factor Authentication) for Bitwarden. This will allow an extra level of security necessary for today’s internet. Here are the choices.
Google Authenticator (Popular but I personally am not a fan)
Authy (It syncs with your desktop but a novice user struggles with it)Please establish your go to multi factory authentication program. Do not forget the master password and store the backup codes.
We suggest Keepass Pro for a free password manager several years ago. Skip pass this section down to password policy to fully understand how to maintain proper password management.
While Keepass Pro is still very much in use because of it’s flexibility, it should not be use by the general public unless you know what you are doing. Make sure the password file is constantly being backed up and don’t forget the master password!!!
The Non Web Dependent Platform for Securing Your Passwords
The individual or organization maintains their own copy called AcmePersonal. Acme Widgets Inc. should simply request a updated database file emailed to them from time to time. This database file is also known as the KDBX file.
They maintain a database file called AcmeIT or whatever name that will differentiate one database file from another.
Two Database Files for Keeping Passwords Safe
The IT guy maintains their own and you defer to your own for your own personal updates. The two files can’t sync or merge but hey, it’s free; and people like it. Again, have your IT guy email the latest and greatest database file. Then save over the old IT database file.
The Do’s and Don’t(s) of Password Management
Do keep meticulous notes
Don’t have old notes lingering as if they are current. Place a Zzz to note they may be somewhat relevant but otherwise inactive.
Password Management Policy
Policy: We require the following password and credential management:
All passwords must be changed at least once every 90 days.
All production system-level passwords must be part of the Security Officer’s administered global password management database.
User accounts that have system-level privileges granted through group memberships or programs must have a unique password from all other accounts held by that user.
Users must select strong passwords. Strong passwords have the following characteristics:
Be at least eight characters in length
Be a mixture of letters and numbers
Be changed at least every 90 days
Be different from the previous 6 passwords
Not contain the user’s userid
Passwords must not be inserted into email messages or other forms of electronic communication.
Note that poor, weak passwords have the following characteristics:
The password contains less than six characters
The password is a word found in a dictionary (English or foreign)
The password is a common usage word such as:
Names of family, pets, friends, co-workers, fantasy characters, and so on
Computer terms and names, commands, sites, companies, hardware, software
Birthdays and other personal information such as addresses and phone numbers
Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, and so on
Any of the above spelled backwards
Any of the above preceded or followed by a digit (for example, secret1, 1secret)
Further, systems that authenticate must require passwords of users and must block access to accounts if more than three unsuccessful attempts are made.
Members of the workforce must follow these guidelines for passwords:
Don’t reveal a password over the phone to ANYONE
Don’t reveal a password in an e-mail message
Don’t talk about a password in front of others
Don’t hint at the format of a password, like, “my family name”
Don’t reveal a password on questionnaires or security forms
Don’t share a password with family members
Don’t reveal a password to co-workers
Don’t ‘hide’ a password within view at your work area, on a badge, or under a mouse pad or keyboard”
Password Management Q&A
You now know a business needs a password policy for it to maintain compliance but password management could be very beneficial in so many other ways. Ask yourself… “Do I have plenty of passwords to sites, subscriptions, bank accounts, and computers? Do I struggle to keep up with all the passwords that are associated with my life or business?” The answer is most likely is yes unless you are completely off the grid living the lifestyle of a hermit.
More and more passwords and sensitive information related to those password credentials are accumulated as your digital foot print increases. How can you be so sure that the platform you use is the most ideal and secure way for accessing your sensitive information? There is no silver bullet for secured password management but we can discuss a lot of do’s and don’ts of password management.
Password Management Personalities
The pen and paper individual
This is the most common way. The paper typically gets lost and the notes on the paper become disorienting and nonsensical. However, some people simply don’t use the computer enough or establish a proper workflow with the computer. And therefore, the issues with using paper become just as bad in the digital world.
Recommendation: Pray for this person. Document your own passwords if you work with them because this person is absolutely not dependable for password management.
Word or Google Doc individual
This is the second most common method for password management. I’ve seen a lot of people that use this method religiously but this workflow is a welcome mat for hackers to wreak havoc on your life.
Recommendation: Find a secured password management system. We recommend a not as common platform. Perhaps, non web dependent platform would give me a more warm fuzzy feeling of privacy and security.
The Phone App Password Management Program
This method is gaining a lot of momentum but with convenience, comes more security issues.
Recommendation: We recommend a not as common platform. Perhaps, non web dependent platform would give me a more warm fuzzy feeling of privacy and security.
Password Management Policy Summary
Password management is not good for compliance but a healthy preventive measure against breaches of security.