I have an #infosec question: is there any good reason for co-workers to share login information, e.g. to access a supplier website? If yes, what’s the reasonable way to share such information nowadays?
My current customer is doing this, and I’m freaking out a bit. :-/
@AnhkaaDNeige
That’s what I’ve told them, but that’s what they’ve been doing for years… with all logins and passwords saved in plain text on a NAS in their local SMB network…
At the very minimum, I’m looking for an open-source password vault I could setup for them somewhere, but I agree it doesn’t feel like a solution to me. 😠
@fabi1cazenave @AnhkaaDNeige keepass or keepassXC could provide what you need. The keepass file could live on their NAS, but that’d require a shared password.
Only a marginal improvement, but at least it wouldn’t be plaintext.
@fabi1cazenave not familiar with passbolt. But my experience very much is that non-techie staff, and those are who you serve, will not like having *more* tools to use. (and IT doesn't love it, either).
Since encrypting something locally that gets share makes not much sense, I'll be quite honest: train teams how to set up team-exclusive resources on systems they already use (be it sharepoint, Office365, Google Drive (which sucks big time for this), windows shares), and have them manage these.
@fabi1cazenave rationale: you bring in a central fancy silicon valley-style secrets management system. People use that once, and because it requires separate re-auth, clicking through five layers to find the credentials they need, and then ctrl-c/ctrl-v, they store the credentials in a word doc in their team folder or desktop anyways.
Educate them on security failure models ("let's say the chance that every single one of you doesn't fall prey to spearfishing within 2 years is 97%. The chance…
@fabi1cazenave reevaluate whether they really need to be shared (or whether for example multiple people on the procurement team can actually get their own accounts for the same company account). Establish "secure practices" as a business objective (otherwise, management metrics say you should work fast, not secure)
Give them the feeling that you give them improvements (! actually more important than to have perfect solutions) to their workflow.
Be the kind of person that people want to email.
@funkylab Thanks for your detailed and meaningful reply.
I’ve been working with this team for almost 30 years, they’re almost family, and by far the safest work environment I’ve ever experienced, so yes, I totally want to keep it positive. 🙂
We’ve already improved their password policy a lot over time (using strong, unique, auto-generated passwords for every site), but I freaked out a bit this morning when I saw their plaintext file with all logins on an SMB drive. Trying to fix that.
@fabi1cazenave @funkylab sounds like an all hands meeting needed...
How liable are they if this goes tits up? Will customers be hurt?
@fabi1cazenave Parfois t'as pas trop lechoix, t'as un compte "entreprise" pour accéder à un truc, pas un compte par personne ...
Un gestionnaire de MDP auto hébergé ça serait la meilleure option face à ce type de problème.
Passbolt fonctionne bien pour moi (et open source), mais il y a sans doute d'autres choix possibles
@fabi1cazenave My terrible answer is sometimes it's hard to get to the best solution. There's all sorts of weird cost optimizations! We'll charge you per login. Or the login belongs to John who worked here 10 years ago for 4 weeks and we don't know how to get new ones.
Making it less bad with a password manager is probably the best way to go. Shared to a "team" of sorts. Preferably it should be able to generate strong passwords. So you can rotate as you onboard.
@fabi1cazenave
Depands: is the login information something like a mTLS certificate. Than definitely yes. (Preferably you would still want to use individual credentials, but sharing such a secret is less of an issue).
Is the login information something like a user name and password, preferably not. But not everyone has their stuff in order where they can support multiple users per account. It should still always be available exclusively through a password manager.
And the same goes for 2FA codes, if they need to be shared it should be stored in a password manager.
This is much more about how to deal with the day to day world of imperfect security practices… and less with “is this smart / ok?”.
You must consider that sharing credentials like this does mean that whenever the set of people with access changes (specifically a removal) requires a credential reset. Or you haven’t removed access at all.
@fabi1cazenave In practice, all the suppliers we work with do not allow to create multiple accounts linked to the same customer account. We also had a lot of trouble to link multiple users to meta account for our library, so we share only one account. The moves in the team and the account creations for all those services/apps can't always be managed automatically. In the end, it's a lot of bad reasons..
Anyway, I explained how to use keypass for those shared accounts in my team, being not able to setup a bitwarden or something more elaborate.
@fabi1cazenave at Autonomic we generally recommend our hosted Vaultwarden for teams. It's the self hostable version of Bitwarden.
Usually the reason to share is the price serviced charge per user.
@fabi1cazenave an example
With my spouse, we share login information with a shared vault in 1Password
Sometimes so I can help debug technical problems (hello Kajabi), other times to save paying for a second subscription, with an app we use personally.
@fabi1cazenave
IMHO there is one, sadly
If the website in question doesn't support multiple users (with the same permissions/access) 😠
A corollary reason could be if you have to pay for each user
@realn2s it’s not a matter of paid service, but yes there could be a practical reason behind that.
Following the general advice I got here, I’m aiming at progressive improvement: I won’t question their workflow, I’m just gonna set up a shared password vault. Or maybe create #CryptPad accounts for all team members?
@realn2s @fabi1cazenave
yeah $/seat is another reason. Not a *good* reason, mind you but a reason.
99% sure that's breaking the terms of service or EULA or whatever, but hey what's a lil digital piracy nowadays?
@fabi1cazenave
Good reason? Probably not
*A* Reason? Perhaps the vendor is just behind the times and there's nothing that can be easily done.
Reasonable way to store and share passwords?
LastPass, Bitwarden, 1Password etc.
1Pass is very enterprise friendly, and Bitwarden is open source / auditable code. You can see everything is encrypted before data is stored on the cloud, or run it yourself.
kazé
A[N]hkaa
Mathaetaes
Ciourte Piaille
R
Hubert Figuière
Marcus Müller
A Fine Day to Return Home 🏳️⚧️🏳️🌈🇺🇦🇵🇸
Thomas Weiss
Régis Haubourg
Maoulkavien
Ludovic :Firefox: :FreeBSD:
Nigel
Tradjincal
sysosmaster
christian mock
Paulien Lemoine
KawaiiPunk
Quantum
Mark Levison
Claudius Link
listless
Steffen Gebert