Blog: Passwords

Password managers for all staff. Why the resistance?!

Tony Gee 10 Feb 2020

I’ve lost count of the number of times I’ve talked about passwords. I mention them in every talk I do. They are used in pretty much every service we test, they are the gatekeepers to our data, they are the protectors of our money and yet we still have not fixed them.

As security professionals we have failed and it’s time to be honest with ourselves – going passwordless is years away. Passwords will be around for many years to come. They are easy to implement, cost nothing and are a simple and effective control to tick boxes on audits.

Most businesses I visit staff use a multitude of passwords on many different systems. These systems range from web apps to thick client apps to mobile apps. Its hard work for staff to keep control of them all. I recently did some work for a client to help educate staff about password security. They wanted us to crack staff passwords in real time, whilst our password auditing service Papa is brilliant, like all password crackers it’s never going to crack passwords in real time while staff wait – that’s the stuff of movies.

However, we could use it to check already existing cracked passwords in our database and for extra sauce Troy Hunt’s epic Have I Been Pwned Pwned Passwords database. I spoke to @AlanMonie and he quickly coded a tool using Papa for staff to safely check their passwords for existing breaches – note nothing was saved at all!!

What shocked me was how many staff were casually stating as they entered their password, “oh I use the same password for home as I do at work”…. We have failed. As security professionals we have failed. Our staff are still using terrible passwords and then use them at home and work, increasing risk. I asked the client what they do about their other (non-domain) systems at work and the answer was deploying a single sign on (SSO) system.

Can SSO help?

I’ve had some experience with Single Sign-On (SSO) in the past and in my experience they are pretty limited, they don’t work as effectively as desired, only cover a handful of systems and are expensive to implement effectively. Some organisations can use Active Directory domain credentials for systems, that’s great, but in most organisations there are many different authentication services in place and AD will only go so far, how do you reach the others? Enter SSO with all its costs and complexity.

When I implemented a solution (a few years back mind) it fixed about 6 out of the 15 IT supported systems in place, the others couldn’t be configured and it didn’t touch anything not supported directly by IT. So why waste the money.

Fixing it properly

There is a simple and effective solution staring us in the face. We security professionals use it day in day out. Password Managers, we recommend them to friends and family, we speak about them at events, they allow us to set complex, random passwords that conform to the website requirements, they remember all of our passwords, we tell staff to use them at home… but always say “these are not approved for use at work”.

Why not?

The arguments are often some of the weakest I’ve seen:

“Surely the hackers will just target that then”

This is the most common point I have raised when I talk about password managers. Certainly hackers will target password managers if they are poorly secured and have weak master passwords, so you can choose a heavily hardened cloud version and use MFA or install it locally behind your controls that protect all of your other highly sensitive data.

“There is a cost”

Well use an open source one. Your IT department are probably already using one that free and besides you are spending a fortune on your SSO solution to only do half a job.

“There is a management overhead”

There is with all IT systems you support, there is no difference to any other service IT provide, including your SSO.

“People will forget their password manager password”

Either choose a password manager you can manage (note these usually aren’t free) or accept the risk and educate staff to choose a strong and memorable one in the first place

“I don’t want our passwords saved on a 3rd party system”

Get one you locally install with a local database, just remember the convenience may not be there if you do.

Closely followed by: How do I know it’s secure– Right so did you code review or pen test all the other off the shelf apps you installed? Get it tested if you want to be sure.

“Staff will need training”

So how do you educate staff on any other new software you deploy?

The simple inescapable truth is there is no reason not to provide password managers to staff.  If they’re good enough for a Super Bowl commercial then maybe it’s time to think of using them in your organisation.

Educating staff on great passwords can be really hard. Your staff now have many different passwords to remember, many for systems outside of the control of IT support such as cloud hosted systems. You want them all to be different, you want them to change passwords every so often, you want them to be long and strong and then you expect them to remember all of them.

It’s impossible. They will write them down. Don’t believe me? Get your domain admin to search all your file shares and users home shares for the string passwords.*. I bet you will be shocked, your staff will be writing them in unencrypted documents ready for hackers to find.

Stop messing around.

Give. Your. Staff. Password. Managers. Now!

…then sort out your two factor authentication as well.

Commonly used password managers

I’m not going suggest the best one to use, you will have your own preferences, but of the companies who I have spoken to who already have password managers they tend to use:

  • KeePass
  • LastPass
  • Dashlane
  • 1Password
  • Roboform
  • Keeper
  • Cyber Ark
  • Thycotic Secret Server

Don’t forget, if you supply iPhones to all staff, you will likely have already provided them with a cloud hosted password manager in the form of the iCloud Keychain. This can’t be used on non-Apple products though so it may have limited benefit on your network.