In a rare moment of consensus, security experts agree that password managers are the best way to keep accounts secure. Back in 2015, we posted about best practices of security experts, and at the time 75% used a password management tool. In the almost exactly two years since we made that post, our recommendations have changed. LastPass was hacked shortly before we published our 2015 post, and now history is repeating itself. A security researcher at Google discovered a “major architectural problem” within LastPass that could allow hackers to steal passwords. But before we get into those recommendations, it might help to talk about what a password manager is and how it works.
Why Use a Password Manager?
A password manager generates, retrieves, and keeps track of very long, very random passwords across all your accounts. When you need to retrieve a password or create a new one, you enter one master password to access your entire vault of passwords. Their encryption is generally much stronger than you could hope to achieve on your own.
To get started, most password management systems require that you download and install an application for your desktop computer and mobile phone, as well as extensions for your browsers. We recommend skipping the browser extensions, which are fundamentally risky. Visiting a malicious website or encountering malicious advertising can open you up to having all your credentials stolen.
Password Managers for Consumers
1Password (starting at $2.99 per month) and Dashlane (free) are two popular proprietary password managers that work this way. KeePass is another widely favored password manager, but it’s open source and requires a bit more technical savvy—creating your own password database to get started, for example.
Enterprise Password Managers
We tend to deal with enterprise-level solutions here at I.T. Roadmap, and Dashlane for Teams and LastPass Enterprise are two of the more common solutions we encounter. Both have their strong suits, but they are both paid services and they both cover ALL your passwords by default. You certainly can opt out of adding your Zappos or eBay login information to your LastPass Enterprise account, but it’s so inconvenient to ask yourself, “Is this login in LastPass, or do I enter it manually?” every time you want to get into an account. As a result, employees may not want to separate out their personal and company passwords. And ultimately, that generates privacy issues for employees. For situations where employees may be switching between computers or devices, the password manager must be installed in each environment, and it must be kept updated, and that can be a headache.
For our G Suite customers, we like the idea of Google SSO, aka Google Single Sign-on. Google SSO lets users access their G Suite cloud applications by signing in one time for all Google apps, but better than that, you can access third-party applications too. This system uses Security Assertion Markup Language (SAML), a standard, secure way to exchange credentials between apps. For employees who switch computers and devices frequently, this can be helpful, because it allows you to add just business apps to your Google dashboard—and then you’re signed into your business apps when you’re signed into Google. Examples of apps that can be launched with Google SSO include Office365 (!), Dropbox, SalesForce, WebEx, Workday, Marketo, NetSuite, Slack, DocuSign, Asana, GoToMeeting, Freshdesk, Smartsheet, Zendesk, Trello, Workplace by Facebook, and Amazon Web Services.
One advantage is that, once an app is added by the G Suite administrator, everyone in the organization will have access to that app from their own Google App Launcher. Another advantage is that it can increase security, since the SAML-connected apps may not have required two-step authentication like Google does. Third—you can add any app so long as it has SAML. If you’re an administrator who needs to set up a custom SAML app, just follow these instructions. While these instructions aren’t very straightforward, we do regret to say that adding a standard Google-SSO-ready app is not incredibly seamless either. This article might help.
Want help picking a password manager that meets your needs? We can help; contact us at your convenience.