Securely Managing Passwords: LastPass, KeePass and More
Let’s be blunt, for a moment: Staying on top of your digital life can pose a nightmarish scenario these days, what with the average person boasting more than 90 online accounts to manage, according to recent figures we here at DMS iTech have looked at. Indeed, possessing robust login credentials remains critical for protecting identity and ensuring data stays out of criminal hands, yet keeping track of all of these passwords mentally is nearly impossible, especially if you’re acting as a “good digital citizen” and utilizing alphanumeric combinations for every single password.
How can you centrally and securely manage and control access to sensitive information in your business environment, such as passwords? In this post, we’re going to tackle the question from a few different angles, explaining all there is to know about LastPass and KeePass password management tools (representing cloud and on-premises solutions), the benefits of having complex unique passwords for every service used, providing a single password to employees and auditing password access.
Why is it Important to Have a Strong Password?
If for only one reason alone, it’s important to have a strong password to prevent unauthorized access to your physical devices and online accounts. A cybercriminal may be able to gain access to your financial/bank, social media, email and other private accounts if your password is easy to crack, an unfortunate situation that could have a devastating effect on your life.
Perhaps even more important to note is that possessing a robust password is particularly vital for small businesses: Not only do small business owners need to ensure their mission-critical data is secure in order to minimize company downtime, they also need to be doing everything they can to protect their own clients’ personal information, which is usually stored on the company’s system.
In addition to having a strong password, it’s important to have a unique password for every account. This way, if an account is compromised the risk of compromising other accounts will be mitigated.
LastPass, KeePass and the Benefits of Having Complex Unique Passwords for Every Service Used
Into the password management foray has come LastPass and KeePass, two of the main services available on the market representing password management tool solutions. Fundamentally, here are the differences: LastPass allows you to generate unique passwords for sites and save them securely on your servers via browser extensions, while KeePass is an open-source technology that comes with all the greatness and perils of such a technology; KeePass is backed by a passionate community of developers and boasts a plethora of plug-ins and apps for every browser and operating system out there.
LastPass is one of the most widely-known and widely-used password managers on the planet, and while it’s primarily a browser extension, it boasts standalone apps for Windows and Mac OS X as well. The actual password database is securely transferred to your device and decrypted there, so you can access the database without an active internet connection through your web browser, via the Mac app or on your mobile device (so long as you have logged into the cloud one time to acquire the database).
If you don’t believe in putting anything in the cloud, including your passwords, then KeePass is for you. Rightfully so, KeePass is a traditional favorite among businesses that desire a powerful password manager but don’t look forward to taking on the risks, however small and well-managed they might be, of putting their password data in the cloud. What’s more, KeePass is fully open-source, portable and “extensible,” with a database that can be synced between computers with a service such as Dropbox.
We can tell you this: KeePass is the best password manager for the DIY type who is willing to substitute convenience of cloud-based systems like LastPass for total control over – and customization of – their password system.
Irrespective of which service you go with, you should create complex unique passwords because they provide essential protection from financial fraud and identity theft. We regularly stress to clients that one of the most common ways that hackers break into computers is by guessing passwords – and that simple and commonly-used variants enable such intruders to easily gain access and control of a computing device.
Providing a Single Password to Employees (and Preventing Issues When They Leave)
The proliferation of passwords and difficult-to-remember requirements encourages employees to take somewhat careless actions, such as make their password ridiculously easy to remember while also making it susceptible to brute force attacks. Your best solution? Implement a company-wide password management system wherein instead of dozens of passwords to remember, they need just one.
Additionally, employees who leave should have their passwords revoked immediately upon their departure, preferably on their last day of employment. In this scenario, LastPass and KeePass play a role, too; LastPass, in particular, offers a perfect feature that deals with this wherein employees create a work account with their work email and become part of the company’s “enterprise” account. From there, employers have them create a personal account, and then employees can “link” their personal account to their enterprise work account, yielding easy access to both. That way, the “vaults” stay separate but the passwords from both are accessible throughout the workday.
When the employee leaves, the company maintains the work account and the employee keeps the personal account, unlinking the two. This goes a long way towards preventing leaving employees from taking a password list with them when they go.
As for KeePass, access to the app can be secured using Active Directory and so when an employee leaves a company and their IT privileges are revoked, so to is their access to KeePass.
Auditing Password Access
Who accessed what…when? It’s a question many IT and HR departments have mulled since the advent of the digital office space. A password audit is a process already taking place within some government organizations; at regular intervals, they attempt to “guess” their users’ passwords via a strong word list and notify those users whose passwords are easily guessable.
Depending on what is found, you can notify the users that their passwords are not strong enough and request that they be changed. This could be done across an entire user base or in “samples” (receiving the hashes for every user who changed his or her password in the last week, for example).
To learn more about strengthening passwords and securing sensitive information, contact DMS iTech.