What Password Management Is, What Password Management Isn't?

    What Password Management Is, What Password Management Isn't

    When you start talking about password management, you inevitably start launching into the technical details: what types of authentication token to use, how to structure your SQL servers, cloud vs. on-premise, etc. However, it’s important to take a step back and understand what password management is and what password management isn’t.

    What Password Management Isn’t

    Let’s begin by defining what password management isn’t about. There is a fallacy that by simply buying a piece of software that stores passwords, you are done when it comes to password management. We hear it all the time. How this app for this smartphone or that web based application hosted by that provider is all you need to manage passwords.

    That myth is absolutely incorrect. Password management, like security in general, is a process and not a product. You cannot buy your way into password management nirvana. There is a lot to consider when looking to roll out a password management strategy. Even before you purchase technical safeguards to help achieve your password management objectives, you need to understand who the players are, what needs to be protected, and just how you will measure and audit that the system is working to your satisfaction.

    We've heard the ludicrous statement that "software custom built by an MSP makes it BETTER for MSPs". Working with thousands of MSPs around the world of different sizes, from companies with a handful of technicians managing a couple hundred endpoints to large MSPs with hundreds of technicians managing tens of thousands of endpoints… one thing rings true. It’s not the size that matters, or the technology selected. It is the processes put in place that drives successful password management, bound together in a way that allows staff to get the job done quickly, efficiently and securely. Yes, it includes technology. But that isn’t the driving force of the process. In fact, it is the last thing to consider.

    Password management is more than simply storing passwords. It requires you to step back and consider the implications to the people who need to use it and manage it. What good is a password manager that is stored on a single cell phone that can be lost or stolen? How effective is storing backups of such apps in Dropbox or SkyDrive in an effort to share the database, without knowing who actually has it, has seen it, or has changed it?

    In March of 2012, Elcomsoft released a whitepaper analyzing 17 popular smartphone apps that describe themselves as “secure password managers”. Some of these applications included LastPass, 1Password Pro, mPassword and Password Wallet. In their findings, they concluded that through weak storage of master passwords, it was rather easy to recover stored passwords in less than a day. A strong statement from one of the researches sums it up rather clearly (emphasis ours):

    Using the right encryption algorithm is not enough”, says Andrey Belenko, ElcomSoft Chief Security Researcher. “It only takes one weak link to ruin the entire security model. Some of the tools would have a better chance to pass our security test if they were about 10,000 to 20,000 times more secure in terms of password recovery speed. Some other tools are completely hopeless and should be avoided at all costs.

    Another researcher goes on to talk about how programming skills are simply not enough when building IT security tools.

    Our research proved once again that IT security requires more than just programming skills”, comments Dmitry Sklyarov, ElcomSoft IT Security Analyst. “With open-source strong-crypto libraries everyone and their dog can write a password keeper, claiming their product offering secure protection – which is not really the case. A good security model takes the whole system into account including the user himself – and not just the strength of the encryption algorithm alone”

    Why would you trust the storage and control of your passwords to an app on your phone or a shared website that may not actually have a good understanding of secure coding patterns and practices? This is everything that is WRONG with many password managers today. They are not balancing the actual needs of the people following the processes defined, using the products built to securely handle this.

    Password management is more than just storage. It has to include access control, auditing, and change management. All parts of a bigger process that we will now explore.

    What Password Management Is

    When it comes to a password management process one of the best methodologies to base it upon aligns with the ISO 27001 standard. In many MSPs, this may align closer to the more adapted ITIL Security Management process, which itself is based on ISO 27001. It focuses on four key areas, Planning, Implementation, Evaluation, and Maintenance.

    This is an important point. Storing passwords is not enough when it comes to password management. We want to make sure that the credentials stored in the manager actually are the ones expected on the systems and services being used. Far too many times in the field we hear that the password on the system isn’t the one stored in their old manager, spreadsheet or text file. When this is the case, and we are forced to act to get the password back into synchronization compliance, we want to change the credential right then and there. And when possible, this should be done through automation to help reduce the human and technical failures that can occur if we count on people to get involved.

      When summed up, a good password management process will include several key components:

    • A way to control who can access the passwords
    • A way to determine who has accessed the passwords
    • A way to control what a person can do with passwords (create/read/write/delete)
    • A way to check that passwords stored meet complexity and compliance rules
    • A way to check that passwords stored match with what is actually being used on the systems and services
    • A way to automatically change passwords when required and possible
    • A way to inform those with authority when a password requires manual intervention to be changed
    • A way to inform those with authority when something is wrong or goes against the password management process
    • A way to centrally store and access passwords from virtually anywhere practical and required


    Good password management involves taking careful consideration of the people that will be using your password management systems, the process they will be required to follow, and the system that they will be using to ensure that password policies are followed. If you mess up on one of these dimensions, it may cause some serious password management problems.

    Ready to Get Started?

    Let's Talk