This post is featured in our Resources section.
Working as a distributed team with multiple clients, one of the things we have to deal with most often as an agency is managing passwords for online services and accounts safely.
Keeping passwords safe and secure, both internally and for external and third party services, is crucial for managing the integrity of online accounts. Failure to keep passwords secret can lead to:
- Customer data being exposed – a breach of an e-commerce site, for example, could expose customer data like names, addresses, date of birth, email and IP addresses. Customer data breaches are reportable to the ICO, failure to do so can result in fines.
- Financial data being exposed – sensitive business related financial data may be exposed if you fail to secure passwords for online banking, invoicing or account management services. This could critically impact your business’ bottom line.
- Invalidation of your business insurance – more and more business insurance providers are adding clauses to their policies to make proper management of online assets and accounts a requirement; knowingly using insecure passwords or improperly sharing online accounts may invalidate your business insurance.
To mitigate this risk and keep client and internal data and resources secure, Ultimately Better strongly recommend that all clients use strong, random passwords of at least 12 characters (including numbers and special characters), and a password manager to store and manage passwords online safely.
Using a password manager has the following advantages:
- Securely store existing passwords – store all of your passwords and account login details safely, including offering multiple login factors (such as biometric backup, or additional PINs) to ensure only you can access your data.
- Strong password generation – because your passwords are safely saved for each service, you can generate strong, long, random passwords for each account, helping to prevent multi-account breach should one individual service be compromised. Also helps to reduce password “guessability” that comes with using passwords compromised of familiar strings (important dates, etc)
- Passwords safely encrypted – password managers use military-grade encryption algorithms to turn passwords into unreadable code, which can only be decrypted with your “key”, or master password.
- Cross-device sharing within one account – most password managers allow you to access and manage your passwords across multiple devices, allowing you to safely login on e.g. your phone, your tablet, and your computer without having to copy and paste passwords in plain text or use insecure or guessable passwords.
- Password sharing between accounts within organisations – some password managers have enterprise or organisation level sharing, allowing multiple users to share password access within a company.
- Password sharing to outside or guest users – some password managers allow external sharing of passwords, to allow e.g. development teams to temporarily access your important accounts.
There are several password management applications available. Some of the most popular include:
- Bitwarden – an open source multi-platform password manager, Bitwarden has been rated the best password manager for business for multiple years in a row. Bitwarden uses “zero knowledge” encryption, which means only the user/customer can see or manage the encrypted data. Bitwarden supports multiple login factors on all devices. Bitwarden have both free and paid plans. Ultimately Better use and recommend Bitwarden.
- LastPass – a password manager that works on multiple platforms and devices. LastPass have previously had problems with security breaches and although they’re better than not having a password manager, we don’t recommend them at this time.
- NordPass – a proprietary cross-platform password manager developed by NordVPN.
- 1Password – a proprietary cross-platform password manager with a zero-knowledge architecture. 1Password does not have a free plan.
In the event that you cannot use a password manager, or if your password manager doesn’t support secure password sharing, we recommend using Password.Link to generate one-time encrypted links to send or share passwords. We never recommend sharing passwords in plain text via e-mail or other unencrypted medium.
Ultimately Better are happy to talk to clients about their password management policies – just get in touch!
Lead photo from Unsplash