Don’t write your logins and passwords on a piece of paper. Don’t let your browser save your passwords. Don’t keep them as pure text among your files. Don’t create passwords based on notions that are close to you, e.g. your or your relatives’ date of birth. Use long and difficult combinations of characters, for instance: „qt8432FEdK7kcVT”. And you’d better be able to learn them by heart.
Those are the most common tips IT security experts give. The good news is that these are great rules and they are worth following. The bad news is that users often disregard them as they choose some less problematic solutions. In this post I am going to focus on two aspects related to credentials management – storing, and what’s even more important, sending such sensitive data as logins and passwords.
How to store credentials
You can’t store your login and password as plain text. You need a system that will encrypt them and decode the data on demand. The system needs to meet the following needs:
It has to be able to store data securely and it cannot be easily hacked. It should be resistant to hackers’ attacks that break security codes within days or months.
The access to logins and passwords has to be easy for the authorised user. If it isn’t, the user will quickly return to their “good old ways” which means they will be storing all their credentials in one place, as pure text.
There are a few solutions that meet the above-mentioned requirements.
If you trust cloud-based solutions…
LastPass, dashlane and 1Password store your credentials in the cloud and let you access them from different locations and devices. Each of these applications can be used for commercial purposes and you can decide which users can be granted access to a given login or password.
If you don’t trust cloud-based solutions…
KeePass and Password Safe let you store your logins and passwords in an encrypted file and to access passwords saved on the computer they have been installed on. These are very safe Open Source solutions, which lets you fully learn the way they work. For the comparison of all the above-mentioned solutions visit this site.
If you decide to use any of them, you can be sure your logins and passwords will be fairly safe. Of course, any solution can sooner or later be hacked. Despite that, credentials stored in these apps are far more secure than written down on a piece of paper or in a simple text file.
If you generated your password yourself and you are the only person to use it, that’s all you needed to do. However, if the credentials are to be sent to their final user you are halfway through the process of securing them.
How to send credentials
Often, when talking about the sensitive data security all we consider is the way we store them. However, in many cases, especially in the IT world, administrators send logins and passwords to users or developers send them to clients.
Here is an example. I have access to the FTP server. I use my email to send the login and password to a client who needs to use them. The credentials will be now stored in four different places: my password manager, their password manager, in my mailbox and in their mailbox.
Of course, in the perfect world, I would send such information in an encrypted file using only one channel, e.g. e-mail. To send the password to open the file I would use a different channel, e.g. a messenger or I would text it. However, several problems would emerge:
Less tech savvy users forced to encrypt and decode files using dedicated apps can easily make a mistake and get discouraged. They will return to the “good old methods”, which means they will be sending their credentials as plain text again.
Despite the fact the data are encrypted they are still stored not only in the final place but also in the channel that has been used to send them.
So the question arises: how to send logins, passwords and other sensitive data in an easy and secure way, without creating extra copies? There is a simple answer to this question: use a system that lets you send messages that are destroyed as soon as they have been read by the recipient. There are plenty of applications that enable this, for instance, One Time Secret, One time or PrivNote. All of them function in a similar way:
A one-time URL address is generated. It contains the message key.
The message is encrypted with the key and saved on the server.
After the one-time link is used the message is decoded and sent to the client.
At the same time, it is deleted from the server.This lets you send your credentials in the following way:
Copy the sensitive data you want to send to a form available on one of the above-mentioned sites.
Get a one-time URL address.
Send the link to the recipient via email or chat.
The recipient uses the link to visit the site and gets the decoded message that they can then store in their password manager.
The message is deleted from the site as soon as it has been read.
In this case, the data is not stored in four different places, but only in two – in my password manager and the recipient’s password manager. In the channel used to send the message only the link can be found and the data originally stored on the server, have been deleted.Of course, if you don’t trust any of the apps I have just mentioned, you can develop such a system yourself or use a ready-to-use Open Source solution from GitHub.
Storing and sending credentials and other sensitive data is a serious topic. On one hand, too liberal a policy can cause a security breach in the organization. On the other, rigid rules may discourage users who won’t be willing to use them.What is your experience in credentials management? What methods do you use to keep them secure? Leave a comment and share your experience.