I am wondering if there is a advice about the use of a password manager on workstations.
What is the most secure password manager that you would use?
We have the once in our browser that propose to save the password for every website that you use.
But also the ones that you can install on you machine and then is holding a local database for example the Keypass, 1Password applications.
What password manager is used for each OS (MacOS, Windows, Linux)?
Any recommendations on this?
Thanks for your help.
I work in an enterprise with 450,000 staff globally, we all use 1Password for Windows End Points, MacOS and Linux Machines.
It works very well indeed, it is stable and works very well indeed.
I have used a few:
From a risk perspective, make sure the following are on your radar:
First, cloud-based password managers seem like very bad ideas, period. What SLA will you rely on for making you whole after losing every password because that company failed to find that one big vuln?
So if you're wandering from WS to WS and you need access to a small password stash, encrypt a USB stick with BitLocker and throw Keepass on it. BitLocker requires a password. Keepass requires a password.
Use long passwords, and make certain they're not the same at all.
@ericgeaterI agree, but if it is hosted within the main providers environment globally within their own Data Centres and fully supported including compliant to SOX on a 24x365 day basis. It works, and there is plenty of resilience, and assurance. Especially when there is a huge financial penalty hanging over the CEO's head every 90 days.
@Caute_cautim Yes, but, it's a level of unnecessary complexity. I'm certain that there's use cases which benefit from having an accessible password manager in the cloud layer, but I'm too paranoid to transfer that particular type of risk. At the very least, and if I were required to use such a service, I'd probably compose all my passwords so that they all share the same last ten characters. And then I would store passwords with that bit missing. Anyone who may find my treasure trove would have incomplete data.
Besides, the OP described activity moving from workstation to workstation, so theirs probably isn't a good example of cloud-stored passwords, anyway.
I'd probably compose all my passwords so that they all share the same last ten characters. And then I would store passwords with that bit missing.
The phrase I hear for this is "salting your passwords", in remembrance of the days when UNIX crypt() reigned supreme. It seems to be a common and effective response to lack of complete trust in a password manager -- which in some cases is well deserved. In effect, it is a poor man's 2fa -- the vault has the first part and you know the salt.
cloud-based password managers seem like very bad ideas, period
Are you referring just to a web-app, where everything lives in the cloud, or do you also eschew installed apps that use the cloud to sync an encrypted vault? Also, do you draw a distinction between public and private cloud in your risk analysis?
My risk tolerance varies greatly between those cases.
With respect to the USB option, I do like Portable Apps, but I do get concerned about storing data on USB due to the difficulty in automating backups. USB drives live a tough life; they get lost, broken and corrupted.
@denbesten said: Are you referring just to a web-app, where everything lives in the cloud, or do you also eschew installed apps that use the cloud to sync an encrypted vault? Also, do you draw a distinction between public and private cloud in your risk analysis?
Neither appeal to me in the slightest. The idea of my passwords, my passphrases, my secret questions and secret answers, and backup tools for my 2FA accounts feel unsettling enough to be stored in a "password manager"... but I sure as shootin' won't place that basket of eggs into someone else's computer.
At the heart of these concerns, all of this is just a management problem. I'm not a high-value target, but I also don't draw a red circle around myself, either.
Many, many years ago, I was in a class where the instructor said, "Never give away what you can't take away later". He was talking about administrators who grant permissions too freely, but this indelible statement applies neatly to my basic online behaviors. Thank you, LastPass, but you can't have my Netflix password.
You've got good points about automation, but I kinda just grew up into this world. One day I was listening to Denis Leary's "No Cure For Cancer" comedy album, and the next thing you know I'm managing over 300 online accounts, all in a hodgepodge of slap-dash protection solutions, by a variety of different companies with different mission statements and differing approaches to cybersecurity. Automation be cursed, because I have walked through the Valley of the Shadow of Due Diligence.
but I sure as shootin' won't place that basket of eggs into someone else's computer.
Credential management is one of those areas where there are lots of alternatives to choose from, making it much easier to balance one's risk tolerance vs their convenience goals.