Best practices for password management in a small company

Kevin Matthews Director of Engineering at Action Factory

July 16th, 2013

I was wondering what software or strategy people use to manage a list of accounts and passwords amongst a small team. Right now, we're using a Google spreadsheet, which is pretty unscalable and insecure. I am considering switching to Common Key (http://commonkey.com/) or PassPack (http://passpack.com), but perhaps other people have a better way of managing this information that does not rely on browser extensions.

In particular, any strategy that would allow us to store passwords for internal servers as well as our cloud accounts would be helpful.

Thanks,

Kev

Rand Owens CoFounder Spartups Accelerator

July 16th, 2013

Just get 1password. You will be happy you did. WHen connected to a team, it holds and stores all passwords. Although, it is a plugin/extension too...

Ryan Jackson Founder at Paid

July 16th, 2013

We used Meldium (https://www.meldium.com), and I'd be happy to make an introduction if you'd like to speak to the founders.

Juston Brommel Growth Strategist & Advisor to CEOs

July 16th, 2013

I've used passpack in my last few companies. We setup one paid account that key staff have access to. We share from this central account to each users individual account. Works nicely for sharing with third parties. A bit cumbersome to sign up, but solid otherwise. I am eager to hear everyone's experience with commonkey. What are the benefits/differences from passpack? Best, Juston

Michael Hanson Entrepreneur in Residence at Greylock Partners

July 16th, 2013

This is a hard problem, Kevin, with no easy answers. But here's a couple thoughts:

1. Whenever possible, don't use passwords. If you can secure your internal and cloud servers using private keys that are physically distributed to laptops, do so. This should be how you handle SSH logins to terminal-based services, for example.

2. Whenever possible, use role- and group-based authentication schemes instead of having common passwords. If your services do not support this, ask for it (professional-grade services should).

3. Make certain your password-sharing scheme matches your actual trust boundaries. If role-based authentication really isn't available, create accounts that represent the roles and distribute trust for them. For example, if there are three people with the power to deploy, then create an account called "deploy" and give three people access to it. Consider creating email addresses for each of these roles and then using server-side aliasing to push it out to everybody that supports that role. (e.g. deployer@myco.com)

4. Make sure you have a fallback plan if you're compromised or you need to revoke access from an employee or contractor.

5. Consider adopting a mnemonic-pattern based approach - say, a ten-word sentence that you all memorize and extend with an unambiguous pattern derived from the name of the service provider.

Remember that your passwords are there to protect you from two different threats: external bad guys seeking to get at your data, and internal misuse (whether accidental or deliberate). Make sure they are strong enough for the former, and restricted enough for the latter. Don't forget the importance of occasionally auditing usage, just so you keep an eye on things.

Interested to hear what other people recommend as well.

-Mike

Thomas Knoll Executive Advisor & Business Coach. I help entrepreneurs survive and thrive at building their teams and businesses.

July 16th, 2013

FWIW, I *highly* recommend: http://www.onelogin.com/

Renee DiResta Vice President of Business Development at Haven

July 16th, 2013

I'm curious - why the "no browser extension" caveat? I've seen some fantastic options that manage that way. I use one personally, and it's relatively effortless.

Kevin Matthews Director of Engineering at Action Factory

July 16th, 2013

My hesitancy on browser extensions isn't a deal breaker. I just don't like the way I will not know my own passwords if I end up using a computer that doesn't have the extension installed. Thanks for all the great suggestions. This has been a very helpful discussion. Kev

Panos Kougiouris Founder at NeatSchool

July 16th, 2013

Rand, what do you mean by this? I use 1password on the mac and the iPhone but not in a "Team environment" is that a feature? --Panos

Rand Owens CoFounder Spartups Accelerator

July 16th, 2013

Panos

If you use dropbox all of your passwords you can aggregate all passwords and keep them all sync'd. Problem is, it syncs all passwords so even those that you don't want others to have they will have. If you have some programming skills you can develop around this...

Dan Hopwood

July 27th, 2013

+1 for 1Password, no need to use anything else