7439446778_bd0bd4017d_z

Photo by ecos systems /CC BY-ND 2.0

Short version: Get a password manager. Without one your small business will be at risk. I recommend using 1Password.

Passwords remains the primary authentication method with computer systems, thus we need to keep them safe.

Managing passwords is all about managing risk and convenience: It’s pragmatic to provide easy to remember passwords for your guest Wi-Fi users, but be more diligent and protect your Internet banking passwords with an authentication token.

In terms of your small business, it is prudent to have strong, unique, passwords. This will help protect against brute force compromise, and also secondary compromise if your password is revealed elsewhere.

Unfortunately, the average person just can’t remember multiple strong, unique, passwords. A password manager provides a solution to this problem.

Password managers are just like a key safe. A key safe uses a master key to protect multiple keys when not in use, and a password manager uses a master password to protect multiple passwords when not in use.

The “key safe” in a password manager is an encrypted file that includes your other passwords. To access the file, you use your master password.

See how 1Password explains it below:

Essential password manager features

Clearly, when using a password manager, you need to keep both your encrypted password file, and your master password safe. Here are the minimum features that I believe need considering when short listing potential password managers:

  1. Master password – Don’t use a password manager where the provider can see your master password, even if they promise not to store it. They can’t have an accident with something you never gave them!
  2. Encrypted password file – Don’t use a password manager where the provider has a copy of your encrypted password file. Even if they promise there is no way they can read that file. They’ll never need to apologize about an “unknown vulnerability” if they never have the file!
  3. Encrypt/decrypt location – Don’t use a password manager that un-encrypts your passwords on the providers computers, before sending to you. Plausible deniability at its best.
  4. Download trust – Only use a password manager that has secure download options for the initial installer file. This means download over https, and check that the application installer file is digitally signed. This only applies the first time you install the software. It’s nice to know your password manager hasn’t been compromised before you add your passwords to it.
  5. Keylogger protection – Unfortunately, software and devices to eavesdrop on your keyboard exist. Thus to protect your master password, use a password manager with a secure desktop mode or equivalent, but note that nothing is 100% safe (in addition, keep your antivirus up to date, and beware of any unusual physical attachments inline with your keyboard).
  6. Synchronisation across devices –  If you have multiple devices, then you will need to synchronise your encrypted password file across those devices. It may seem contrary to the earlier advise to avoid sharing your encrypted data file, but synchronisation across devices, using a different provider to the password manager, is an effective use of separation of duties. In addition, it is more likely that the fox (i.e. an attacker) will go looking for a hen in a hen house (i.e. attack a password managers central store of customer encrypted password files).

Simple comparison of popular password managers

The below table provides a summary comparison of 5 popular password managers.

1Password is the only password manager that meets all my earlier suggestions, thus it is my recommendation. Oh, and don’t take my word for it, follow this link to see a recommendation for a true security expert (and as acknowledgement, much of my knowledge on password managers commenced after reading this linked post).

Irrespective of which password manager you choose, when you first set it up, take the opportunity to change weak passwords to stronger versions, rather than just importing them. Also change any passwords that may have been insecurely shared in the past – if in doubt, change it anyway.

Feature 1Password Dashlane KeePass LastPass RoboForm
Price From $49.99 for desktop client, mobile client additional depending on features. Free for one device, then $39.99. Free. Free, then $12/year depending on features. $9.95 first year, then $19.95/year
Desktop client (Windows, Mac) Yes Yes Yes Yes Yes
Mobile client (iOS, Android, Windows Mobile) Yes(cost for some features) NoWindows Mobile(cost for some features) Clients via 3rd parties(cost for some features) Yes(cost for some features) Yes
Encrypted and signed client download Yes Yes No Yes Yes
Sync across devices Yes, various options including Dropbox and iCloud Yes, paid plan only Via third party sync services, Dropbox etc. Yes Yes
Does the provider have a copy of my encrypted password file? No, never Yes, if using sync No, never Yes Yes
Is data encrypted/ decrypted locally? Yes Yes Yes Yes Not always
Does your master password leave your device? No No No No Sometimes
Can the master password be entered via Secure Desktop for Windows machines? (protection against keyloggers) Yes No Yes No No

 

… there’s more

If you are keen for more on this topic, please read my post on the habits of highly effective password management for small business.