Dear #Infosec people. Do you have any password managers to recommend for non-technical people in an organisation?

I have a slightly cumbersome way of doing it myself, but I wouldn't ask a typical end-user to do it.

Lastpass has come to mind in the past, but they seem to have occasional data breaches (!!) so that doesn't sound like the best option.

Follow

@Spokesoneill Given the current state of software / systems today, if you avoid any organization that has had a security breach, you will change organizations often, and you will only work with (relatively) inexperienced organizations. This is not to say you should seek out organizations that are breached regularly (just say "no" to sendmail).

For me, the answer is to make a decision based in part on technology (remove sensitive (e.g. unencrypted) information from the hands of others as much as practicable) and part on how responsibly the organization behaves, and the largest part on whether the tool will meet the needs.

If convenience is the number 1, 2 and 3 priority, maybe writing the passwords on the window in dry-erase marker makes sense (though that approach offers limited auto-fill). If absolute security is critical, put the password vault on a device with no wireless access (e.g. a piece of paper) and store it in a safe in a locked room with an alarm system and guards.

If instead you need to balance security and convenience, it makes sense to think about user interface / usability and where and when users might need access to their passwords.

KeePass2 is a lovely tool that I have used. It has some challenges (e.g. the passwords are in a database file that you then need to manage / distribute / avoid corrupting / keep in sync), but it works fine for some people.

I've used LastPass. It offers a lot more usability than KeePass for a number of use-cases (e.g. web browser, automatic sync of changes across devices).

LastPass trades off that the client (where you enter your password / the credentials are decrypted) is much more dynamic, which is the primary form of risk for the tool (i.e. if you used a compromised client software to access my vault, your credentials are compromised). As far as I know that hasn't happened, and the company seems to not be afraid to announce a breach when it is observed, so the recent announcement doesn't seem specifically concerning to me at the moment.

There are definitely some quality competitors to LastPass, including 1Password, Bitwarden, etc. that offer comparable usability and features. You should consider them also. The technical challenge of evaluating their technology is difficult but educational; that is probably for you or possibly even someone more technical rather than your users.

Also, ask your users what they do today in a way that isn't judgemental or accusatory. If you propose something, make sure it is at least as usable as what they do today, and seriously consider options that they are already familiar with.

@kissake Thanks for all of that. Secure and convenient would be equal priorities. Secure is my priority and easy is the end-user's priority.
I have some high-value users who have no means at the moment. Swapping a phone, for example, means me either keeping their Twitter password in my own safe, or resetting it for them each time as they don't remember.
I'll have a look at BitWarden.
Thanks again.

Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.