I’m Adrian, co-founder of Vokke and Jon has very kindly offered me the chance to write a guest post on his 5-minute Friday series. Fingers crossed I don’t disappoint him (or you!)
All about passwords
I see many organizations who regularly share passwords over Slack or Teams, or even more concerning, have a shared Google Sheet or Excel file that contains every password used by the organization.
As you can imagine, this practice can expose you to several risks:
- People can easily copy the entire company’s password list onto a USB or share it via email to someone else.
- If anyone obtains access to a team members Google or Microsoft account, the entire password list is compromised.
- It encourages a culture of password reuse, because “finding the right password” is too hard.
I often ask clients to run a thought experiment: if a hacker obtained that list, what type of damage could they do?
Luckily, there are better ways that are easier too. These are called Password Managers.
Password Managers
The idea is simple: all passwords are stored in a secure vault, and “shared” to team members on an as-needed basis. This significantly reduces the blast radius of a breach. Okay, but how do you get into the password manager? That’s the one password you’ll just have to remember.
But that’s a much easier ask.
People often think that this is still quite a risk, because a single password gives users vault access. Current research shows that password managers are indeed much safer and significantly reduce your exposure to a breach. Now, not everyone in the team has full access. Further, password managers come with multi-factor authentication.
Okay, I’m convinced. How can I use one?
There are some very quick and easy options. One is called LastPass. It’s installed as a browser plugin and very approachable to non-tech savvy users. There’s also a common alternative called Dashlane.
These can be installed and adopted by small to medium teams quite quickly.
If you’re wanting something more sophisticated, with auditing capabilities, extensive permissions (and even FIPs compliance) you can look at enterprise tools like Passwordstate.
Security is a deep passion of mine, so please feel free to reach out to me at [email protected] if you have any questions or want to know more!