Given that BuboWerks aims to provide more support for small organisations than most information security consultancies, we would like to put out a primer of what security controls most small organizations should use. Chief among those recommendations will be, “Use a password manager!” Recently, Stuart Schechter put out a great piece cautioning against such advice. In this article, we’ll briefly touch on why password mangers are important, especially for small organizations, then address the concerns he raises, and wrap up with some observations on specific password managers.
Password managers are not considered a common security control in large enterprises. This can be seen in NIST’s canonical list of security and privacy controls (SP 800-53), which makes no mention of anything like password managers (even though their use might be considered to be part of IA-5: Authenticator Management). The reason for this is that in large enterprises there is an expectation that all the systems and applications you will use will use a common authentication source, such as Active Directory (AD). Put another way: enterprises expect you to be able to use a common set of credentials (username/password, or even fancy things like username/smartcard+PIN), so you should not need to remember scores of passwords. Even when those enterprises use cloud services like Office 365, they often tie that to their enterprise authentication infrastructure.
Small organizations almost never have an authentication infrastructure, or at least not one that is architected for integrating with all the services they use. As a result, users in small organizations are left with dozens of different accounts to keep track of. While some of those accounts may only be usable in limited settings (for instance, their local login for a laptop), increasingly small organizations are relying on cloud services that are accessible from anywhere. This presents two major problems:
- Just as you can access the services from anywhere, so can attackers, who can likely crack any password you can remember — even a 16-character password made up of mixed-up words and numbers.
- Use of the same password between services means that if any of them are breached, the attacker can easily access the user’s information in the others.
A password manager helps defend against this by allowing you to use a unique, completely random password for each account you need to have, then you only need to remember the master key for the password manager.
It’s an elegant solution for a thorny problem, but as Mr. Schechter notes, there are many potential downsides to using a password manager. The key concern is that it becomes a single-point of failure, either if you lose access to it, or it becomes compromised. To counter this, he presents some solid advice on transitioning to a password manager, including starting with your lower-value passwords, and starting with the password manager built into your web browser.
Here at BuboWerks, we use 1Password. While there are many positives to 1Password, the key feature we love is that all its data is encrypted with the master password and secret key, meaning that even if Agile Software (the developer of 1Password) is compromised, the attacker will not be able to access our password data. Similarly, no one can impersonate us and get Agile to provide them access to our vaults. As noted in the article, setting up the recovery option is critical: I printed out my recovery kit and keep it in a theft and fire-resistant safe. This author is still using a totally random password with mixed case and symbols, but rather like the advice in the article to use a slightly longer one with just lower-case and numerics due to the issues with typing it on virtual keyboards. I started with a 8-character password many years ago and have learned successively longer passwords since. While we are comfortably using 1Password, Bitwarden has since emerged as a solid open-source alternative. It appears very similar to 1Password in design, with two major advantages:
- Bitwarden allows you to run your own server infrastructure, allowing you control over things like backups and distribution to guard against single-points-of-failure (particularly the risk of the provider closing up shop).
- Individual accounts are free.
That said, both 1Password and Bitwarden can probably provide a more resilient infrastructure than most small organizations can, either is likely to provide some sort of warning before going belly-up, and both are reasonably priced for small teams and we encourage you to support them so they continue to improve. In the end, both are solid options and worth investigating.
This is probably the take-away for password managers in general: they are almost certainly an improvement over not using one, and while they carry risks, do some investigation and use a prudent rollout to mitigate those risks, and tame the wild proliferation of passwords.