We’re often asked what are the recommended ‘Best Practices’ for personal password management, so we’ve put together a little guide which we hope you will find useful.
The following suggestions are also applicable to passwords which are shared amongst team members, and while there is reference to features specific to Passwordstate, they are also useful tips for any other password management system.
Create a Private Password List
First thing you will want to do in Passwordstate is create your own Private Password List. By creating a Personal Password List, it is hidden from all other users of Passwordstate (including Security Administrators), and permissions cannot accidently be granted to other users – the option to apply permissions to the Password List is disabled. It’s possible your Security Administrators of Passwordstate have disabled the ability to create Private Password Lists, so if the option is greyed out under the ‘Passwords’ menu at the bottom of your screen, please speak to one of your Security Administrators of Passwordstate. Below is a screenshot for adding a new Private Password List, and we’ve highlighted a few options which we recommend. Some of these options are covered further down in the blog post.
Caution – As you can see in the screenshot below, you have the option of specifying an ‘Additional Authentication’ step which is required before you can access the Password List. If you choose ‘Use Separate Password’, and forget this password, then the only way to restore access to the Password List is to have one of your Database Administrators restore a copy of the database prior to making the change. Security Administrators are able to reset your ScramblePad Pin Code, your Google Authenticator Secret Key, or your SecurID pin, but they cannot reset a personal password you apply to this list.
Encrypt Your Passwords
It goes without saying, but if your passwords aren’t encrypted in some way, then anyone can potentially gain access to your valuable resources. Passwordstate uses industry standard 256-bit AES Encryption (Advanced Encryption Standard), and this should be a minimum encryption standard to use. AES has been adopted by the US government, and is now used worldwide. In addition to encrypting your passwords, their values should be also ‘salted’ in the database. Salted means an additional input is used as a one-way function that hashes a password or passphrase. The primary purpose of salts is to defend against dictionary attacks and pre-computed rainbow table attacks. In addition, even if your database administrator is snooping around the raw data, no two encrypted values appear to be the same. There are other features in Passwordstate which further protect against theft of the database and decryption attempts, like the ‘Authorized Web Servers’ feature.
Backup Your Passwords
We have witnessed quite a few customers over the years who do not backup their Passwordstate database. Best practice recommends you backup all IT systems, regardless of their importance or sensitivity of the data. When we’ve queried these customers as to why they haven’t got a backup of the database, we generally receive one of two responses – 1. I’m not a DBA and don’t know how to, or 2. I didn’t know we needed to do that. As of version 6 of Passwordstate, you can now take advantage of the Automatic Backup feature. With this feature, you can set a regular schedule, and Passwordstate will perform the backups for you. It will back up all of the Passwordstate web files, and also a full copy of your database. There are a few steps required to configure Automatic Backups, and the following blog post will provide further detail – http://www.clickstudios.com.au/blog/backups-and-in-place-upgrades/.
Create Strong Passwords
The stronger the password, the harder it is to guess or crack. The issue with complex passwords is they’re difficult to remember, and often a pain to create. In Passwordstate we’ve provided a Password Generator, and this tool allows you to easily create complex passwords. There are numerous Alphanumeric and Special character options, as well as the use of a Word Dictionary which contains 10,000 words which can be inserted into your password phrase. The following article on our site also goes into some detail about choosing good passwords – http://www.clickstudios.com.au/articles/choosing-good-passwords.html
Once you’ve set the options for your Password Generator, any time you need to create a new complex password, you simply click on the following icon . And there really is no need to try and memorize these passwords when using Passwordstate – you can unmask the password at any time by clicking on the ****** value you see in the grids, or you can copy the password to the clipboard by clicking on the icon .
Reset Passwords on a Regular Basis
How often do you read on the Internet of some site’s user database being compromised, and all the user’s passwords being leaked – unfortunately it’s all too often? If you reset your password on a regular basis, then this becomes less of an issue. We have a couple of features in Passwordstate which will help with the reset task, and they all relate around the use of the ‘Expiry Date’ field. When you populate the Expiry Date field, you can see visually on the screen when a Password should be reset – if the Password has already ‘expired’, or will expire in the next 30 days, then the Expiry Date field will be highlighted in a Red color. In addition to this, we have the ‘Expiring Passwords’ report which you can choose to receive via email either daily, weekly or monthly. This email report provides you a list of all your Passwords which have already expired, or are about to expire in the next 30 days.
Avoid Password Reuse
And finally, one of the worst things you can do is reuse Passwords across different systems and web sites. We all do it, but it is probably one of the worst password management practices you can adopt. Any time one Password on a web site/system is compromised, then the hacker could potentially gain access to all your other systems – assuming they know your login ID. In the screenshot above for the Private Password List’s settings, you will notice we’ve highlighted the feature ‘Prevent Password Reuse’. By using this feature, Passwordstate will query the history of changes for the Password record, and prevent you from ‘reusing’ passwords based on the number you set.
We hope you find this a useful guide for Personal Password Management Best Practices.