Use a Password Manager to help
So you know it is important for everyone in the organization to use a long, random, and different password for each of their personal and organizational accounts, but how do you actually do that? Memorizing a good password for dozens (if not hundreds) of accounts is impossible, so everyone has to cheat. The wrong way to do it is to reuse passwords. Luckily, we can turn to digital password managers to make our lives much easier (and our password practices much safer) instead. These applications, many of which can be accessed via computer or mobile device, can create, store, and manage passwords for you and your entire organization. Adopting a secure password manager means that you will only ever have to remember one very strong, long password called the primary password (historically referred to as a “master” password), while being able to get the security benefits of using good, unique passwords across all of your accounts. You will use this primary password (and ideally a second factor of authentication (2FA), which will be discussed in the next section) to open your password manager and unlock access to all your other passwords. Password managers can also be shared across multiple accounts to facilitate secure password sharing throughout the organization.
Why do we need to use something new? Can we not just write them down on paper or in a spreadsheet on the computer?
Unfortunately, there are many common approaches to managing passwords that are not secure. Storing passwords on sheets of paper (unless you keep them locked away in a safe) can expose them to physical theft, prying eyes, and easy loss and damage. Saving passwords on a document on your computer makes it much easier for a hacker to gain access – or for someone who steals your computer to not only have your device but also access to all of your accounts. Using a good password manager is just as easy as that document, but far more secure.
Why should we trust a password manager?
Quality password managers go to extraordinary lengths (and employ excellent security teams) to keep their systems secure. Good password management apps (a few are recommended below) are also set up so that they do not have the ability to “unlock” your accounts. This means that in most cases, even if they were hacked or legally compelled to hand over information, they would not be able to lose or give up your passwords. It is also important to remember that it is infinitely more likely that an adversary guesses one of your weak or repeated passwords, or finds one in a public data breach, than that a good password manager would have its security systems broken. It is important to be skeptical, and you definitely should not blindly trust all software and applications, but reputable password managers have all the right incentives to do the right thing.
What about storing passwords in the browser?
Saving passwords in your browser is not the same as using a secure password manager. In short, you should not use Chrome, Firefox, Safari or any other browser as your password manager. Although it is definitely an improvement over writing them on paper or saving them in a spreadsheet, the basic password-saving features of your web browser leave something to be desired from a security perspective. These shortcomings also rob you of much of the convenience that a good password manager brings. Losing this convenience makes it more likely that people across your organization will continue poor password creation and sharing practices.
For example, unlike dedicated password managers, browsers’ built-in “save this password” or “remember this password” features do not provide simple mobile compatibility, cross-browser functionality, and strong password generation and auditing tools. These features are a big part of what makes a dedicated password manager so useful and beneficial to your organization’s security. Password managers also include organization-specific features (such as password sharing) that provide not just individual security value, but value to your organization as a whole.
If you have been saving passwords with your browser (intentionally or unintentionally), take a moment to remove them.
What password manager should we use?
Many good password management tools exist that can be set-up in less than 30 minutes. If you are looking for a trusted online option for your organization that people can access from multiple devices at any time, 1Password (starts at $2.99 USD per user per month) or the free, open-source Bitwarden are both well supported and recommended.
An online option like Bitwarden can be great for both security and convenience. Bitwarden, for example, will help you create strong unique passwords and access passwords from multiple devices through browser extensions and a mobile app. With the paid version ($10 USD for a full year) Bitwarden also provides reports on reused, weak, and possibly breached passwords to help you stay on top of things. Once you set up your primary password (referred to as a master password), you should also turn on two-factor authentication to keep your password manager’s vault as secure as possible.
It is essential to practice good security when using your password manager too. For instance, if you use your password manager’s browser extension or log in to Bitwarden (or any other password manager) on a device, remember to log out after use if you are sharing that device or believe that you might be at heightened risk of physical device theft. This includes logging out from your password manager if you leave a computer or mobile device unattended. If sharing passwords across your organization, also be sure to revoke access to passwords (and change the passwords themselves) when people leave the organization. You do not want a former employee to keep access to your organization’s Facebook password, for example.
What if someone forgets their primary password?
It is essential to remember your primary password. Good password management systems like the ones recommended above will not remember your primary password for you or allow you to reset it directly via email the way you might be able to for websites. This is a good security feature, but also makes it essential to commit your primary password to memory when you first set up your password manager. To help with this, consider setting up a daily reminder to recall your primary password when you first create a password manager account.
Advanced: Using a Password Manager for Your Organization
You can strengthen your entire organization’s password practices and ensure all individual staff have access to (and use) a password manager by implementing one across the entire organization. Instead of having each individual staff member set up their own, consider investing in a “team” or “business” plan. For example, Bitwarden’s “teams organization” plan costs $3 USD per user per month. With it (or other team plans from password managers like 1Password), you have the ability to manage all shared passwords across the organization. The features of an organization-wide password manager not only provide greater security but also convenience for staff. You can securely share credentials within the password manager itself to different user accounts. And Bitwarden, for example, also provides a convenient end-to-end encrypted text and file sharing feature called “Bitwarden Send” within its team plan. Both of these features give your organization more control over who can see and share which passwords, and provides a more secure option for sharing credentials for team-wide or group accounts. If you do set up an organization-wide password manager, be sure that someone is specifically in charge of removing staff accounts and changing any shared passwords when someone leaves the team.
What is two-factor authentication?
However good your password hygiene, it is all too common for hackers to get around passwords. Keeping your accounts secure from some common threat actors in today’s world requires another layer of protection. That is where multi-factor or two-factor authentication comes into play – referred to as MFA or 2FA.
There are many great guides and resources explaining two-factor authentication, including Martin Shelton’s Two-Factor Authentication for Beginners article and the Center for Democracy & Technology’s Election Cybersecurity 101 Field Guide. This section borrows heavily from both of those resources to help explain why 2FA is so important to implement across your organization.
In short, 2FA strengthens account security by requiring a second piece of information – something more than just a password – to gain access. The second piece of information is usually something that you have, like a code from an app on your phone or a physical token or key. This second piece of information acts as a second layer of defense. If a hacker steals your password or gains access to it via a dump of passwords from a major data breach, effective 2FA can keep them from accessing your account (and therefore away from private and sensitive information). Ensuring that everyone in the organization puts 2FA in place on their accounts is critically important.
How can we set up two-factor authentication?
There are three common methods for 2FA: security keys, authentication apps, and one-time SMS codes.
Security Keys
Security keys are the best option, in part because they are almost completely phishing proof. These “keys” are hardware tokens (think mini USB drives) that can attach to your keychain (or stay in your computer) for easy access and safekeeping. When it is time to use the key to unlock a given account, you simply insert it into your device and physically tap it when prompted during login. There are a wide range of models that you can purchase online ($20-50 USD), including highly regardedYubiKeys. The New York Times’ Wirecutter has a helpful guide with some recommendations for which keys to purchase. Keep in mind that the same security key can be used for as many accounts as you would like. While security keys are on the expensive side for many organizations, initiatives such as Google's Advanced Protection Program or Microsoft’s AccountGuard provide these keys for free to some qualifying at-risk groups. Contact the people who gave you the Handbook to see if they can connect you to such programs or contact[emailprotected].
AuthenticationApps
The second-best option for 2FA is authentication apps. These services allow you to receive a temporary two-factor login code through a mobile app or push notification on your smartphone. Some popular and trusted options include Google Authenticator, Authy, and Duo Mobile. Authenticator apps are also great because they work when you do not have access to your cellular network and are free to use for individuals. However, authenticator apps are more susceptible to phishing than security keys because users can be tricked into entering security codes from an authentication app into a fake website. Take care to only enter login codes on legitimate websites. And do not “accept” login push notifications unless you are sure that you are the one who made the login request. It is also essential when using an authenticator app to be prepared with backup codes (discussed below) in case your phone is lost or stolen.
Codes via SMS
The least secure but unfortunately still most common form of 2FA are codes sent via SMS. Because SMS can be intercepted and phone numbers can be spoofed or hacked via your mobile carrier, SMS leaves a lot to be desired as a method for requesting 2FA codes. It is better than only using a password, but authenticator apps or a physical security key are recommended when at all possible. A determined adversary can get access to SMS 2FA codes, usually just by calling the phone company and swapping your SIM card.
When you are ready to start enabling 2FA for all of your organization’s various accounts, make use of this website (https://2fa.directory/) to quickly look up information and instructions for specific services (like Gmail, Office 365, Facebook, Twitter, etc.) and to see which services allow for which types of 2FA.
What if someone loses a 2FA device?
If using a security key, treat it the same way you would treat a key for your house or apartment, if you have one. In short, do not lose it. Just like your house keys though, it is always a good idea to have a backup key registered to your account that stays locked away in a safe place (like a safe at home or a safe deposit box) just in case of loss or theft.
Alternatively you should create backup codes for accounts that allow it. You should keep these codes saved in a very secure place, like your password manager or a physical safe. Such backup codes can be generated within most sites’ 2FA settings (the same place where you enable 2FA in the first place), and can act as a backup key in case of emergency.
The most common 2FA mishap occurs when people replace or lose phones which they use for authentication apps. If using Google Authenticator, you are out of luck if your phone is stolen, unless you save the backup codes that are generated at the time you connect an account to Google Authenticator. Therefore, if you are using Google Authenticator as a 2FA app, be sure to save the backup codes for all accounts that you connect in a secure place.
If using Authy or Duo, both apps have built-in backup features with strong security settings that you can enable. If you choose either of those apps, you can configure those backup options in case of device breakage, loss, or theft. See Authy’s instructions here, and Duo’s here.
Be sure that everyone in your organization is aware of these steps as they start to enable 2FA across all of their accounts.