As a county employee you probably have numerous applications and services you use that require passwords. It seems every state agency that you interact with has at least one web site you need to login to. Some have several. Many of the various affiliates of ISAC have their own web projects, such as the ICIT GIS Data Repository or IowaLandRecords. Many of our vendors offer web sites or services we need to use on a regular basis. And then there are the numerous applications we use each and every day within our own county.
With so many applications and services, it is probably not possible for the average person to remember a unique password for each and every one of them. A common practice that many use to deal with this password overload is to reuse the same password for everything. This might seem like a reasonable approach. It sure beats writing them down and risk someone finding them, right? Wrong! Password reuse is incredibly dangerous. There have been countless reports in recent years of security breaches involving leaked passwords. If your password is leaked or shared for one service, and you use the same password for other services, the risk is very high that all of your accounts can be compromised.
A better approach is to use a password manager to keep track of all your passwords. Password managers allow you to store all of your passwords, and other sensitive information, in an encrypted file or database. You then access them with a master password that you can remember. Ideally your password manager is accessible all the time, so an application that you can run on your smart phone is a good option. Another option is a web based password manager, but remember that this is sensitive information, so it is vital to pick a provider you can trust.
The product that I use for my personal password manager is KeePass Password Safe. This is an open source product, so it is free to use, and the source code is open to inspection, so you can have confidence in the encryption implementation. I use an Android smart phone, so I use KeePassDroid to have anywhere access to my passwords. For iPhone users, there is MiniKeePass.
For organizational use, there are some limitations to KeePass, so we use a product called PasswordState to manage passwords at the county. This is a commercial product, and we pay per user, but since many of the passwords we use need to be shared among employees and/or survive employee turnover, this is a great tool for secure, centralized password management. It is a web based product, so it is also accessible from a smart phone, although the user interface is clearly not designed for touch or small screens.
Of course these are just a couple of products that are available for password management. Perhaps you have a favorite already. Regardless, passwords aren't going away anytime soon, so effective password management is an important step in keeping your accounts secure. So get a good password manager and start using it!
Hi Scott,
ReplyDeleteMark here from Click Studios - the developers of Passwordstate. Thanks for mentioning our product, and I just wanted to let you know we're currently working on a mobile client for Passwordstate, and it should be ready in a few weeks time. You'll then have a usable interface for iOS, Android, Blackberry and Windows 8 Phone.
For more information about password managers, check out the October issue of the SANS OUCH! newsletter. http://www.securingthehuman.org/resources/newsletters/ouch/2013#october2013. The newsletter also includes an announcement for an upcoming SANS webinar on October 29th which will feature Iowa Counties Information Technology's "Paying IT Forward!" assessment program. We are very excited and grateful for SANS support of our program!
ReplyDelete