You can securely store not just passwords, but also documents, files, images, digital certificates and licenses in Zoho Vault. Files can be stored as individual entities or along with secrets. You can add multiple files with a single secret and retrieve them from anywhere, even through your mobile devices. The file attachments are also treated like passwords – they can be shared with users and user groups and are encrypted in your browser itself. The encryption key is never stored anywhere. So, complete data privacy is ensured.
When Edward Snowden, the former NSA Contractor started disclosing the classified details of several top secret surveillance programs of the US intelligence agencies during June this year, all were wondering how he gained access to those highly confidential information.
Five months later, an exclusive report in the Reuters now reveals that Snowden has used perhaps the easiest possible way to gain unauthorized access to the secrets. Misusing his position as a system administrator, he had reportedly persuaded nearly 20 of his colleagues to share their login credentials with him in the pretext of doing his job. They had unwittingly provided him the credentials, which led to the worst breach of information security in NSA’s history. They thought they were giving out the credentials to a trusted insider unaware of Snowden’s real intent.
This report reminded me of a funny campaign titled “Passwords are like underwear” ran by the Information Technology Central Services at the University of Michigan a few years back to create awareness on protecting passwords.
True, passwords are like underwear – obviously not meant to be shared with others. Unfortunately, practical needs are mostly the opposite. Business requirements demand selective sharing of passwords with others. In most of the organizations, users often tend to reveal administrative passwords of sensitive IT resources to their colleagues for some reason or other.
In the last two weeks, the Petition Against Passwords movement launched by a group of US-based companies that sell password-less technology has been gaining widespread media attention across the world. Their mission is to collect every frustrated yell at forgotten passwords and make sure the organizations responsible hear them.
In the RSA conference in San Francisco early this year, James DeLuccia’s Passwords are dead created quite a buzz. At the conference, Zoho’s sister division ManageEngine demonstrated its Enterprise Password Management Solution, Password Manager Pro, and almost all the visitors to our stand quipped: “They are talking about the death of passwords and you are demonstrating password management!”
So, we hear the vox populi loud and clear: Clearly, people are fed up with passwords. With the proliferation of online applications, a variety of passwords occupy each aspect of our life. Remembering dozens of passwords is impossible; storing them only invites trouble and managing them manually is a pain. With high-profile security breaches involving stolen online identities, all of us want to be rid of passwords. So, when someone talks about replacing passwords, it’s only natural for people to get interested.
But, the million-dollar question is: Do we have viable alternatives if the passwords die finally?
Before going any further, here is some history on ‘death of passwords':
For over a decade now, people have been discussing the death of passwords. In the same RSA conference in 2004, Bill Gates, the Chairman of Microsoft predicted the death of passwords. In 2006, he said that the end to passwords was at sight. Not just Bill Gates, but many other luminaries and industry analysts have been predicting the death of passwords.
However, in reality, the predictions haven’t yet materialized. Passwords are still the most prominent method of authentication till date. Alternatives to passwords, such as biometric authentication, iris authentication, facial authentication, various forms of multi-factor authentications, and even authentication through items like watches, jewellery, and electronic tattoos, are all being discussed. Active research is also on to formulate better alternatives.
However, none of the alternative approaches have been viable for various reasons. Firstly, passwords are very easy to create and are absolutely free. Whereas, the alternate models are mostly expensive, require additional hardware components, are difficult to integrate with the existing environment, and are not easy to use.
Interestingly, some of these alternative authentication methods have been cracked even before they could be adopted widely. Few years ago, a group of researchers hacked faces in biometric facial authentication systems by using phony photos of legitimate users.
As on date, a viable replacement for traditional passwords is not in sight! We may get one in the future, though. But, it will require considerable time for the new mechanism to be accepted and adopted. That means, traditional passwords are not going to die anytime soon; they are going to be around for a while.
Passwords are not the problem; their management is
While raising our voices against passwords, we overlook the actual problem, which is poor password management. Due to the inability to remember passwords, users tend to use and reuse simple passwords everywhere. Users store passwords in text files and post-it notes; share credentials among the team members; and pass them over emails or by word of mouth. Real access controls do not exist and passwords of sensitive resources and applications remain unchanged for ages. Such bad password management practices invite security issues and other problems.
Use a password manager
While the research to find an alternative to passwords continues, it would be prudent to deploy a password manager to safeguard your data. With a password manager, you can secure all your passwords in a centralized repository; use strong, unique passwords without worrying about remembering them; automate and enforce password management best practices; control access to resources and applications; keep track of activities; and do much more.
If you are wondering which password manager to use, take a look at Zoho Vault.
What is the purpose of a password? If we pose this question to any group of users, we will get a variety of responses. In simple terms, the purpose of a password is to keep your data/information secure, secret and private. Essentially, passwords have to be kept secrets to serve the purpose. Ironically, due to lack of proper password management, we tend to make our passwords much like ‘Pulcinella’s Secrets’!
Yes, you read it right – Pulcinella’s Secrets! If you wonder whether you got the meaning correct, let me explain:
Pulcinella is an illustrious comic character in Commedia dell’Arte, a form of theater that
began in Italy in the mid-16th century. The very character of Pulcinella is his inability to keep secrets. Any confidential information conveyed to him would become an open secret in no time. The secret will reach far and wide, but everyone will pretend not to be knowing. In reality, Pulcinella’s secrets are not secrets at all.
Passwords in Text Files, Post-Its or Spreadsheets are Pulcinella’s Secrets, Literally!
With the proliferation of password protected online accounts and IT assets, businesses are drowning in a pile of passwords. But, many organizations and business establishments do not have any effective password management procedure in place at all. Employees adopt their own, haphazard way of maintaining the passwords. Following are some typical scenarios:
- Sensitive passwords are stored in volatile sources such as text files, spread sheets, post-its and the like
- Many copies of the passwords are circulated among the people who require them for their job functions. There is generally no trace on ‘who’ accessed ‘what’ passwords and ‘when’. This creates lack of accountability for actions
- When one user changes a password, it should be updated in all the ‘copies’; otherwise, at the most needed time, one would be trying to login with an outdated or old password. As a result, the passwords mostly remain unchanged for ages for fear of inviting such lockout issues
- There is rarely any internal control on password access or usage in many organizations. Users freely get access to the passwords
- When other members of the organization require access to an online application / an online account, passwords are generally transmitted over word of mouth
- If an employee leaves the organization, it is quite possible that he/she may be getting out with a copy of all the passwords
So, if you follow the traditional style of storing the business passwords as described above, your passwords would have probably turned Pulcinella’s Secrets! Many in your organization might be accessing the passwords, while you would be thinking otherwise. Obviously, this practice leaves the organizations open to security attacks and identity thefts.
Deploying a Password Manager – The Best Practice Approach
One of the effective ways to keep your passwords secure (and really secrets) is to store them in a central, secure, digital vault and automate password management tasks. Deploying a password manager like Zoho Vault can help you in taking total control of your passwords. You can store all your online identities – passwords of web applications, PINs, registration numbers, access codes, bank account details – anything sensitive or confidential in the online vault and access them from anywhere. Password changes can be updated at the central vault.
You can selectively share common passwords on need basis among the members of your organization with fine-grained access privileges. Your users will get access only to the required passwords, not all. You will also get comprehensive audit trails on ‘who’ accessed ‘what’ passwords and easily trace activities to individuals. You can completely eliminate the insecure, cumbersome practice of storing passwords in volatile sources like post-its, text files, print-outs and spreadsheets. Try Zoho Vault, now!
This question may sound trivial. Before discussing further, let me narrate an incident:
About three years ago, on March 17, 2010, at Austin, Texas hundreds of cars purchased from a particular car dealer went honking uncontrollably. Still worse, the owners were not able to start the cars as the ignition system had been disabled. Car owners had no clue as to what was happening. They had no other option but to disconnect the battery.
Following hundreds of such complaints and anxious moments, the car dealer carried out an investigation with the help of police and found that a sacked employee had gained unauthorized access to an internal IT application and turned on the web-based vehicle-immobilization system normally used to draw the attention of the customers delinquent in their auto payments. The techie had apparently taken revenge on the dealer for laying him off.
Soon after sacking him, the car dealer had promptly terminated all access, including the one to the vehicle-immobilization IT application. But, he had known the credentials of a colleague, using which he gained unauthorized access to the application.
Now, coming back to the question: How do you handle passwords when an employee leaves the organization? Does your organization have an effective ‘de-provisioning’ process in place to ensure that the former colleague will not continue to access your applications or data?
The saying ‘out of sight, out of mind’ might not hold good in all cases. Most of the employees leaving the organization will forget their former employer and start concentrating on the happenings in the new organization. Rarely, a disgruntled ex-colleague or a sacked employee or a terminated contractor or a greedy techie might turn bad and you will have to encounter problems.
The Austin cars honking incident is a classic example for the kind of insider threats organizations are prone to. A single disgruntled employee leaving the organization can wreak havoc to the very business or cause huge financial loss, if user de-provisioning is not handled properly. De-provisioning includes not just terminating access to key IT systems and applications, but also resetting the passwords.
Conversely, certain online accounts might be ‘owned’ by the person leaving the organization. If he fails to ‘hand over’ or ‘reveal’ the account details to someone else, the account will practically become an orphan posing a different kind of problem.
Tracing Access – The Key Challenge
When an employee leaves the organization,
- it is essential to carry out a careful review of the access permissions granted to him/her
- access has to be terminated and passwords must be reset
- passwords owned by the person should be transferred to someone else
- the password sharing scenario has to be reviewed. Users often tend to reveal passwords to their colleagues for some reason or other. The most common reason for such an ‘unofficial share’ is to cater to an emergency on one’s absence – Manager revealing the password of an application to a senior member when he has gone on vacation.
The key challenge here is finding out the list of all applications and resources accessed by the person leaving the organization. With the proliferation of online applications, it is indeed a daunting task to trace all the applications to which the person possessed access. Tracing the ‘shared passwords’ is another tricky scenario.
If you can’t trace access, the safest option is to change the passwords of all applications, sites and resources. Needless to say, this is cumbersome, arduous and time-consuming.
Centralized Password Repository – The Ideal Solution
The ideal solution to tackle this problem is establishing and maintaining a centralized password repository using a Password Manager. You can keep all your logins in the centralized vault and grant access to employees selectively based on job roles/responsibilities. By looking at the dashboard, you will know ‘who’ is having access to ‘what’ applications and accounts. When an employee leaves the organization, within minutes you can take a report on the applications accessed by him/her and change the passwords of those sites or applications alone. You can also overcome the sharing-related issues by using a Password Manager. In addition, you may even restrict the passwords from being shown in plain-text to the users while sharing passwords with them. The users will just be allowed to launch a direct connection to the site/application without viewing the password.
If you are wondering which password manager to use, take a look at Zoho Vault, an online password manager that serves as the centralized repository for all your passwords. It helps you securely store, share and manage your passwords and other sensitive data and access them from anywhere. Try Zoho Vault, now!
How many times in the recent past did you receive advisories asking you to reset the passwords of your online accounts?
- Just a couple of weeks ago, MOZ.com, the popular internet marketing software advised all its customers to reset their MOZ account passwords, because the encrypted portion of some of the member passwords were made public for a brief time.
- About a month back, online daily deal company LivingSocial Inc. alerted its 50 million users to reset their account passwords following a cyber-attack on their computer systems that resulted in unauthorized access to some customer data from their servers.
- On March 2, 2013, Evernote revealed that hackers had gained access to their network and been able to access user information, including usernames, email addresses, and hashed passwords. About 50 million users of Evernote were asked to reset their passwords.
- Nearly a year ago, over 6.46 million hashed passwords were reportedly stolen from LinkedIn. Following that, LinkedIn asked the affected users to reset their passwords.
- During the beginning of 2012, cyber-criminals had apparently gained access to the internal network and systems of the popular online shoe and apparel shop Zappos through one of their servers in Kentucky. Zappos suspected unauthorized access to its customer information and asked customers to reset their passwords.
These are just a few prominent samples. The list will actually fill volumes.
Resetting the password in the affected site alone may not be sufficient!
When you receive advisories like the ones mentioned above, you would promptly change the password in that site and feel secure. But, the harsh truth is that passwords and other sensitive data exposed in a single site could potentially affect your entire online life. This is because of the simple fact that most of us tend to use the same password on all sites and applications. So, the hacker who succeeds in cracking your password, actually gets the ‘master key’ to access all your accounts.
Just consider these scenarios:
- An employee has used the same password for his social media accounts as well as work email and VPN. Data expose at just one site could invite hackers to your organization’s doorstep!
- You are using the same password for your social media account and for online financial accounts. Password expose at one place could potentially drain your account..
So, when security incidents happen at one of the places, you should essentially reset the passwords of all other online accounts too. But, before you could do that, you should have the list of all online applications in which you own an account!
There is no magic wand: Use a unique password for every site
It is always prudent to have unique passwords for every website and application and supply it ONLY on that site/application. When there is news of password expose or hacks, you can just change the password for that site/app alone. Frequently changing passwords as a habit is also highly recommended.
But, here comes the problem: You will have to remember multiple passwords – sometimes in the order of tens or even hundreds. It is quite likely that you will forget passwords and at the most needed occasion, you will struggle logging in, resulting in password fatigue.
The way out: Use a password manager
Just like you have an email account, consider using a password manager too. In order to combat cyber-threats, proper password management should ideally become a ‘way of life’. Password Managers help securely store all your logins and passwords. In addition, you will get an option to launch a direct connection to the websites / applications from the password vault’s GUI itself. Saving you even the ‘Copy & Paste’ task, logging in is just a click away. Once you deploy a Password Manager, you can say goodbye to password fatigue and security lapses.
And, Zoho offers Zoho Vault, an online password manager, which solves all your password management problems. Try Zoho Vault!