Password Requirements, Management, And Creation Tools

We use ITGLue for documentation and password management.  All of our devices are asset tracked and the passwords are set up on each device in the office before they go onsite to be installed.   

We just reviewed a few team based password management programs a few months ago. I had an intern install trial versions of several options, and LastPass Teams is what we decided worked best for us. In large part because it is both easy to administrate from a browser, but also easy for a tech to pull up a password in the mobile app to type into a client system.

Just this week, a customer who uses Dashlane told me to avoid that.

Out of curiosity, would those out there consider the use of 2-factor authentication to provide a properly secure solution for something like this?  For example, you could have each device use the same text password, but using a second factor authentication method such as Google Authenticator could generate a time sensitive code, unique to the device.

The down side that I would see is that each device would have to be entered into the application and you would have to be able to identify them easily and accurately to generate the key.  Data maintenance would be imperative, but should be anyway.

We use EnPass

Overall it works well and can be shared between multiple people via dropbox etc..

No ongoing monthly charges and has a password generator built in to make it easy.. 

Also can backup the database etc.. Main feature i would say is missing is multi user audit trails, but you can get a password history so that helps if someone messes something up.

We have been using 1 password. Its fairly easy to use and works well on mobile. One of our requirements for a password manager was it had to be available offline and it had to have the ability to create templates. Their tech support was surprisingly responsive which we found to not be the case with a few other popular password managers.

We have been using randomly generated passwords for the most part. One thing i find irritating with some cameras, IoT devices, and some websites is that the password recipes are not very robust with either low maximum character count or limited special characters. These devices and services fail to indicate when a password does not comply with their password requirements, thus allowing you to save a non compliant password that would never function correctly. I recall Arecont being particularly annoying in this regard.

Related: Risks Of Managing End User Passwords (Statistics)

We're moving to Keeper. It has a few annoying quirks (never showing the passphrase while you're trying to log in; browser extension that's probably best to avoid), but it seems to work.

Quick note: I say it's best to avoid Keeper's browser extension. It's probably best to avoid all password manager browser extensions. Keeper is by no means the only one to have vulnerabilities. Here's one where LastPass was vulnerable. As a former web developer, let me tell you the web is a hostile place. It's best to avoid that attack vector entirely, even though it means you can't have phishing protection.

We tried Password Safe with a few employees, but it doesn't have the enterprise features we need. If somebody quits the company and still has a copy of the safe file, they can still access the passwords. Not good.

Before I started at the company, our password security was pretty poor. We didn't think much about camera passwords because the camera network was often isolated from the rest of the network or firewalled off. But the servers weren't isolated and when they started getting hacked we realized something needed to change.

Has anyone considered using passwords unique to a site that are just long?

I remember reading parts of an article awhile back about how we are focusing on making complex passwords (One capital, one lowercase, one number and one special character) but if we just made longer passwords that made sense to us, like a line from a song, of poem, or a quote, it would also be quite secure, but possibly easier to remember.

I don't think this is the article I read, but has the same principle.

I used to always just use the same password, even in my own personal life with stuff. The same or similar, but lately I've been thinking of changing that, but sometimes I have a hard enough time remembering which variation of my password I used for this app, or that website, or this and that. I've always been slightly wary of password managers, even though I do use google's for chrome stuff. It's great you can find everything in one place, but what happens if your password manager gets compromised? Or am I just being mister doom and gloom pessimist here?

But what about just long passphrases for each site, like "ABC Secur1ty @ Johns0n$Contructi0n!" Possibly easier to remember, harder to brute force or anything. Though now that I type out it I see there would just be a template, so if some one figures out your password template "He always uses his company name @ customer name!" then it defeats the purpose as well.

Just spit balling I guess.

It looks like the industry is moving towards better password and firmware utilities for edge devices.  DellEMC surveillance uses VMWare Pulse for password and firmware management.  I believe others companies are starting to incorporate Pulse or similar products into their VMS and cameras.  Project LIOTA from VMWare also shows where the industry is moving.  Camera manufactures that do not add utilities for firmware and password management will lose enterprise level business.   

VMWare Pulse

LIOTA

Viakoo has a beta for password management.

Viakoo Link

IoT is bringing billions of connected devices into the ecosystem so these management tools will be taking off in the next 18 months.  It is about time imo.

I adopted Rukmini’s suggestion from long ago: 

Use One Password Scheme For All Your Websites