Password Managers – Who Has Your Passwords

Password Managers is something we should all endorse, with a security-conscious world, we need to take corrective measures to make sure you are secure.

Cyber Security is a key aspect we need to look at in today’s connected world, from our children finding entertainment on YouTube to major businesses transferring billions over the internet.

Often overlooked is who has access to what. An IT Department / IT Company is often trusted with secure passwords to access all their systems.

This is fine but you should have checked in place to make sure a single employee doesn’t control access.

Such is a case in the USA, a college fired an employee and the password was then held to ransom for $200,000.

We provide some guidelines to follow below.

Make sure no personal addresses are used as a Recovery Option

A recovery method is essential in case of forgetting passwords and somehow not having access to a stored password or in the case of a Cyber Attack.

This can cause the password to be changed. In the case of the linked story above the employee had his personal email as the recovery address, for a while Google said no to reset it due to their policy.

Make sure the recovery address is linked to the organisation, even if it is a throwaway email address not associated with the domain (recommended),

you should ensure the policy does not allow the use of personal Email addresses.

Unique Passwords for every site

This sounds obvious but the number of people even in the tech world that uses a variation of the same password.

We went to help someone recently that had 1234 and changeme in their password, clearly left as a placeholder to encourage the user to change it but this was their only password on multiple machines.

Regardless of how complex your password maybe it needs to be unique.

The reason is simple if a site was breached and passwords leaked if you used one complex password that password would then be out in the open for all to try.

Consider Password Managers

Consider a Password Manager to make sure you can keep track of the many different passwords you will end up with,

most Password Managers also have the functionality to generate a password and this is useful when creating unique passwords.

Make sure the CEO/CFO have access to Passwords

You don’t want any IT company to hold all the keys to your kingdom,

best practices are to have the main password locked away in a safe so if an employee leaves, is fired, or if an IT company goes out of business then you won’t be locked out of your crucial systems.

For example, when we encrypt systems we set a unique key, this is stored in a secure place that our clients can access as without this key recovery is impossible.

Security awareness training

Keeping staff clued up on what to do can make the difference between your company making the right steps towards a secure environment, and staff accidentally opening up the doors to a breach.

With GDPR if such a breach occurs you have to report it to your customers and the Information Commissioners Office (ICO), along with the potential fines it is not worth it.

Quite a few companies offer Security Awareness Training including Hamilton Systems, look at booking a session with whoever you choose to use. The difference it will make to your staff will pay dividends to protect your business.