kazéJun 5

I have an #infosec question: is there any good reason for co-workers to share login information, e.g. to access a supplier website? If yes, what’s the reasonable way to share such information nowadays?

My current customer is doing this, and I’m freaking out a bit. :-/

Show threadMarcus Müller
@fabi1cazenave yeah, obviously there is. It's typically a customer account, and the customer here is a company (or procurement dept., you get the idea), not an individual human. Nothing they can control, so relax and help make secure decisions on where to store credentials and how to, when necessary, update them coordinatedly.(i.e., maybe not a "all our passwords" excel doc on a company-wide accessible share)
Jun 5 at 8:02amPhanpy
Show threadkazéJun 5
@funkylab Yes, that’s what I was thinking of when mentioning a “reasonable way” to do it.
I’m seeing stuff like #Passbolt, does that seem solid? Are there well-trusted alternatives?
Show threadMarcus MüllerJun 5

@fabi1cazenave not familiar with passbolt. But my experience very much is that non-techie staff, and those are who you serve, will not like having *more* tools to use. (and IT doesn't love it, either).

Since encrypting something locally that gets share makes not much sense, I'll be quite honest: train teams how to set up team-exclusive resources on systems they already use (be it sharepoint, Office365, Google Drive (which sucks big time for this), windows shares), and have them manage these.

Show threadMarcus MüllerJun 5

@fabi1cazenave rationale: you bring in a central fancy silicon valley-style secrets management system. People use that once, and because it requires separate re-auth, clicking through five layers to find the credentials they need, and then ctrl-c/ctrl-v, they store the credentials in a word doc in their team folder or desktop anyways.

Educate them on security failure models ("let's say the chance that every single one of you doesn't fall prey to spearfishing within 2 years is 97%. The chance…

Show threadMarcus MüllerJun 5
@fabi1cazenave … that then NONE of you 200 employees fall prey to spearfishing is 0.02% (pretty graph of 0.97^N, for N=1…200). I hope you understand why I encourage you to share passwords only if absolutely necessary and only with the people that REALLY really need them, and not even temporarily on a whim!"), and give them the feeling that they can actually contribute to the prolongued existence of their org.
Make it management's job (not yours personally) to collect these shared accounts, and …
Show threadMarcus MüllerJun 5

@fabi1cazenave reevaluate whether they really need to be shared (or whether for example multiple people on the procurement team can actually get their own accounts for the same company account). Establish "secure practices" as a business objective (otherwise, management metrics say you should work fast, not secure)

Give them the feeling that you give them improvements (! actually more important than to have perfect solutions) to their workflow.
Be the kind of person that people want to email.

Show threadkazéJun 5

@funkylab Thanks for your detailed and meaningful reply.

I’ve been working with this team for almost 30 years, they’re almost family, and by far the safest work environment I’ve ever experienced, so yes, I totally want to keep it positive. 🙂

We’ve already improved their password policy a lot over time (using strong, unique, auto-generated passwords for every site), but I freaked out a bit this morning when I saw their plaintext file with all logins on an SMB drive. Trying to fix that.

Show threadA Fine Day to Return Home 🏳️‍⚧️🏳️‍🌈🇺🇦🇵🇸Jun 5

@fabi1cazenave @funkylab sounds like an all hands meeting needed...

How liable are they if this goes tits up? Will customers be hurt?

Show threadThomas WeissJun 5
@fabi1cazenave @funkylab we use 1Password for that use case. Passwords are organized in different folders and only shared on a need to know basis inside out organization. You have your own private vault as well. Everyone uses auto generated passwords and the UI is frictionless. Privately I use keepassXC, but sync between my laptop and phone via syncthing sometimes has hiccups. Edit: and it officially supports Linux with a native app: https://blog.1password.com/welcoming-linux-to-the-1password-family/
Welcoming Linux to the 1Password Family | 1Password

The wait is over. 1Password for Linux is officially here.

1Password Blog
Show threadRégis HaubourgJun 5
@fabi1cazenave @funkylab yes, using passbolt here and it does it job correctly.
If you are serious about security, this is like PGP, encryption is end to end. Might be too much for some teams 😅