The practical issues around password management for individual staff are much the same regardless of business size or role in the organisation.
The conventional advice to 'just use a password manager' is better than nothing, but assumes all passwords are similarly important and must be as easy to access. In fact some passwords are of critical importance and must be secured to the highest possible level, whilst others
There are eight aspects of passwords:
- People increasingly have many passwords and usernames for different login. Typical numbers of different logins are between 10 and 1000.
- Each password is best as a random combination of more than 12 upper and lower case letters, numbers and special symbols - hard to remember!
- Each password should be completely different
- Some passwords are more critically important to secure than others
- Some passwords are used more often than others
- Some passwords are used on phones (where it is difficult and slow to type symbols)
- Recording passwords in the cloud is increasingly under question
- Passwords used under different operating systems (Windows, OSX, Android, Linux...)
So the ideal approach has the most critical passwords being very highly secured; the less critical and more commonly used passwords more easy to use; and passwords used on phones easier to enter.
Practical Password Management Method
Step 1: List all the logins that a person has passwords for
Step 2: Separate the logins into those whose passwords are critical and must be stored very securely, and those that are less important.
Step 3: Purchase 3 secure hardware-encrypted USBs (e.g. IronKey, Kanguru Defender, Kingston Data Traveller 4000G2 or similar). They are expensive, but you can buy the smallest size of them. If price is more important than security have at least one hardware-encrypted USB and the other(s) software encrypted USBs (e.g, Kingston Data Privacy or use Bitlocker or Veracrypt - see below).
Step 4: Set the USB's to delete themselves or self destruct after 5 or 10 password attempts. Create different random passwords for each USB. These can be relatively short (6 characters) because there is limited possibility to guess them
Step 5: Install a portable password manager on all three USBs. Currently, we are using Enpass Portable as it works across Windows, OSX, iOS, Android and Linux.
Step 6: On one hardware-encrypted USB (USB1) create an Enpass password database for the most secure logins. Make the password seriously complex and secure (random combination of 12 or more upper and lower case letters, numbers and special symbols. Write it down initially and keep it very safe. After a short while from typing it you will remember it and can then throw the paper away (or secure it in a safe). Add your secure login details to this password database. Any of your passwords that are not so secure, change them and use he random password generator in Enpass to create new secure ones. Keep this super secure USB1 safe and as soon as you have used it remove it from the computer. Avoid carrying this secure USB1 with you unless it is essential. If possible, do not ever sync USB1's secure password database to the cloud. Do not use USB1 for any purpose except for secure
Step 6: On another hardware-encrypted USB (USB2) (preferably hardware encrypted but if not, then software encrypted) create an Enpass password database for the less important login details. Make the password seriously complex and secure (random combination of 12 or more upper and lower case letters, numbers and special symbols. Write it down initially and keep it very safe. After a short while from typing it you will remember it and can then throw the paper away (or secure it in a safe). Add your less important login details to this password database. Any of your passwords that are not so secure, change them and use the random password generator in Enpass to create new secure ones. Keep USB2 safe and as soon as you have used it remove it from the computer you have used it in. In most cases, USB2 will be the one that you use for most purposes. Only sync the USB2 password database to the cloud if needed to use the less important password database on phones and other devices without USB drives.
Step 7: The third encrypted USB (USB3) is used only as the backup for the password databases of USB1 and USB2. It is preferably hardware encrypted but if money is a priority, then software encrypted. This backup USB3 is stored in a safe or somewhere secure and is not used for anything other than its backup role and (hopefully very rarely) its restore role. In case of password database corruption or accidental user errors, it seems sensible to have USB3 contain both the immediate backup and the one before of the password databases of USB1 and USB2. In some cases, storing offsite might be appropriate.
So in short form...
Super secure password database ===>> USB1 (hardware encrypted USB) - keep securely stored and not plugged into a computer when not in immediate use. Only used for password database
Less important logins password database ===>> USB2 (preferably hardware encrypted USB but if not, then software encrypted USB) - general usb security. May also be used for other data.
Backup of both password databases ===>> USB3 (preferably hardware encrypted USB but if not, then software encrypted USB) - kept securely in safe place.
Why use encrypted USBs?
Storing the password database on an encrypted USB is good layering of security practice. It reduces the possibility of malware being added to the USB.
Why hardware-encrypted USBs?
There are three reasons:
- More secure and less extra information to store externally (e.g. Microsofts BitLocker keys)
- Hardware encrypted USBs are usually immune to BadUSB and similar cyber-attacks that cannot be detected by anti-virus and malware software.
- Faster than software-encryption
Software-encrypted USBs
There are three main ways:
- If you are all recent Windows computers, you can use Bitlocker to encrypt any usb
- Veracrypt can be used to software encrypt any usb and works across OSX, Windows and Linux
- Proprietary usb software encryption such as found on Kingston Data Privacy usbs or those of other manufacturers
Management Take Aways
- Highly important and less important passwords can be managed securely and easily using the above 3 USB method
Resources
Kanguru Defender USBs from https://www.kanguru.com/secure-storage/defender-secure-storage.shtml
IronKey, Data Traveller 400G2 and Data Privacy USBs from Kingston from http://www.kingston.com/en/usb/encrypted_security
Securing USB drives with Bitlocker - https://technet.microsoft.com/en-us/library/ff404223.aspx
Securing USB drives with Veracrypt - https://veracrypt.codeplex.com/