Risks Of Managing End User Passwords (Statistics)By: IPVM Team, Published on Dec 05, 2017
Integrators know admin passwords for nearly all end-user systems, according to IPVM statistics.
But how do they manage them? How do they ensure those passwords are secure?
150+ integrators told us and end users are unlikely to be happy about it.
Spreadsheets By Far Most Common
By far the most common answer was that integrators kept passwords in spreadsheets, stored locally or via cloud storage for access while in the field.
In second place was integrators using a standard admin password for all customers or, moderately better, construct the password using a standard formula based on customer information plus a base password.
We review the reasoning for each of these below.
The majority of respondents said that they simply used a spreadsheet to manage user passwords. Some said they used cloud storage for these sheets while others said they were simply kept locally.
- "Every project has a DEVICE and IP INFO Spreadsheet. We list all of the IP devices and their address and Credentials. We file them per customer and keep it on a secure drive."
- "Spreadsheets. Not very secure, I know. We need to find an alternative solutions that's easy to use and maintain. This project is on the to-do list."
- "We are looking for a secure online database solution for customer equipment information. Currently this is handled on our local server."
- "We are standardized on Google apps for business and use a GoogleSheet that is shared with our internal tech support staff."
- "We manage secure usernames and passwords using EXCEL spreadsheets and backing up the sheets on the Company server."
- "Very challenging. Currently use spreadsheets per site. Looked at cloud solutions, very expensive and data hosted elsewhere."
- "We have a master spreadsheet that's only available to our technicians."
- "We store user names and passwords on a spreadsheet that is encrypted."
- "We keep a secured excel spreadsheet on an encrypted 2FA cloud service."
Universal Admin Password Password or Formula to Determine Password
The next largest segment said they used a standard admin password across all sites or used a base password and a formula to construct the admin password so it could be figured out by any technician.
Note: we strongly recommend not using standard passwords across multiple customers, as compromising this password impacts all customers.
- "I use a master admin password so I can modify their users as necessary, and ask customers to give me their preferred password."
- "We use the same admin username and password for every system, and if it is removed by the end user we discuss with them why it needs to be there. Fortunately, very few customers have given us a hard time about it because they sometimes have a higher turnover with their own IT staff than we do, and they are fearful of getting locked out of their own system."
- "We usually put the same password in all of our systems but don't give it out. We have tried a couple of times to do unique passwords but we get a lot of kick back because it's "too hard" to keep track of them. It's going to bite us some day. People who do have restrictions on passwords, we do configure unique ones, but those are usually handled by one engineer and they know where that information is kept."
- "We create a vendor login and clearly identified it as a vendor login as well as make the customer aware that we have a log into their system then change any defaults. We use a combination of the customer data to formulate the password. It's not a secure system by any means and if the tech were to leave they would be able to capture that password and gain access however it's like the number one service request we have to do something."
- "We create unique passwords using a scheme. Each tech understands the scheme and can use it to create or recall the password for each device."
- "I have a master password for all the systems."
- "Our branch has a handful of set usernames/passwords for service/install. We train customer on entering and choosing U/P but don't get involved after that with customer usernames and passwords."
- "If you know the account# there is a formula that can be done in your head to determine the password."
A much smaller segment of users said they used password managers to store these passwords, such as LastPass, KeePass, or MSecure [link no longer available]. These programs allow techs to retrieve complex passwords for customer systems when on site via mobile app or web portal, instead of relying on a master password or copies of password lists stored on portable drives or in the cloud.
LastPass and KeePass were the most popular options for password managers.
- "Lastpass, as well configuration items in my CRM. All of our client data requires 2 factor to access."
- "If we have to keep them for any reason, they are stored in Last Pass with applicable access distributed and monitored."
- "We use LastPass iphone application to manage passwords. All techs have log in and access to customer passwords. We just started use this app and been Beta tested for
6 months so we are implementing all techs to use starting a few months ago."
- "We use Keepass to keep an encrypted file of our passwords in a centralized location."
- "On my mobile device I use Mini Key pass and the full version on desk top systems."
- "Currently customer usernames and passwords are created using a password creator and stored using a utility such as KeePass."
- "We use a dedicated program that works with a multitude of devices and syncs via the cloud so we all operate from the same secured database. It works across Apple, Windows and Android with both mobile and desktop apps. Allow us to customize the fields and password generator options to meet our needs. https://www.msecure.com/ Note we use the previous version from what is listed at that link currently. It gives us more control of the database location."
In addition to those packages, consultant Rodney Thayer [link no longer available] noted:
There are many open source packages, check "7 open-source password managers to try now that LogMeIn owns LastPass" for example.Some integrators have workflow solutions with trouble tickets and such and those sometimes have secure file storage on a project-by-project basis and that would do it. An encrypted USB stick with your password spreadsheet would get partial credit ;-)
Finally, a few integrators mentioned software packages for IT documentation or as part of their CRM. ITGlue was the only platform mentioned by name.
- "We now have individual randomly generated complex passwords for each customer and each type of devices for the customers. IT GLue is amazing solution to manage password and documentation."
- "We have been using ITGlue."
- "All usernames and passwords are stored within a CRM software."
- "Configuration items in my CRM. All of our client data requires 2 factor to access."