How We Solve Our Password Madness

So we were looking for a solution that offers at least the following points:

• Store company related passwords in a secure manner
• Simplify password sharing in a secure manner
• Reduce overhead for password communication
• Safe time for password administration, simplify login processes
• Have an overview which passwords are shared with whom
• Allow password reset procedures if users are leaving / joining the company

We considered KeePass and 1Password and putting the password vault somewhere into the cloud. In the end, we decided on LastPass Enterprise which some of us already had positive experiences with.

LastPass is a browser based password vault, it has plugins for all major browsers and also synchronizes with mobile devices. Two factor authentication with various methods is included, even with free (non-paid) accounts. LastPass offers shared folders, users with different access rights to shared folders and a wide range of configuration policies and administration features.

Shared passwords are stored in folders. Every user has access to all shared folders they need to get work done. Some example of such folders:

• Shared - Everyone
  Abstract: Shared passwords nearly everyone needs and that are not too risky to give to everyone
  Examples: WiFi passwords, office door access code
• Shared - Purchasing
  Abstract: Accounts needed to purchase goods
  Examples: Amazon, Microsoft license management, Adobe license management, LastPass
• Shared - Social Media
  Abstract: Marketing related accounts like blog administration, camp orga, social media accounts
  Examples: Facebook, Twitter, typo3.com blog administration

Other folders could be Internal Servers and Accounts, Customer XYZ, HR ...

In addition, every user has their own personal folder to store personal work-related(!) passwords like personal Jira or TYPO3 instance logins.

The LastPass Enterprise account allows setting policies to allow or restrict certain functionality. For instance, we force each employee to use a multi factor authorization to login to LastPass.

We added a couple of additional policies in addition to the default ones. As an insight to this feature rich system within LastPass, these are our main policies:

• Account Recovery Email
  Every time a user requests the reset of their password, our internal LastPass admins receive an email.
• Minimum Number of Different Character Sets in Password
  We want to have at least upper case, lower case and numbers in every password. Special characters are optional, but the "create new password" function of the browser plugin will throw them in by default.
• Only allow a single YubiKey per account
  This is important, otherwise employees could buy a second device and would have access to their business account even if a YubiKey is confiscated for some reason.
• Password Length Restriction
  At least 8 characters.
• Prevent Multifactor Disable via Email
  If someone messes with second factor, admins should know.
• Prohibit Export
  By default every user is able to export all keys in the vault as CSV file. It is obvious why you wouldn't want that in your company. We excluded our admins from that rule, because they should be able to create backups of the vault.
• Prohibit Shared Folders Outside Enterprise
  That's a topic of constant discussion. With that policy enabled, employees aren't able to share folders in a secure manner with LastPass using outside parties like the customer. So we are forced to communicate passwords with external sources via email. Not perfect, but we will see how that works out.
• Prohibit Sharing
  Prohibit Sharing Except for Shared Folders
  The first policy is to prevent users from creating other shared folders than the ones created by the administrators. The second one is to prevent them from sharing credentials in their own vault. So every shared password is in one of the predefined folders. Keeping things cleaner.
• Require use of any multifactor option
  No exceptions.

Next to personal logins and company work related sites, users typically have tons of private passwords to deal with. We know that our employees will check their social media and buy some Christmas gifts during working hours. That's for sure and something we can live with. And we want to encourage them to always use secure passwords. But we don't want our employees to store their private passwords in the business vault. That would result in discussions when the user leaves the company or is on vacation where they should not use their business account.

LastPass offers a pretty neat feature to link a private account with the enterprise account. When you log in with your business account, you will see all your passwords, private and business alike. When you log in to your private account, you will only see the private passwords. We suggest to our employees to create a private LastPass Account (that's free in the basic plan and costs a buck per month in the premium plan) to store all their private passwords. When the user leaves the company, the private and the company account can be unlinked again and the employee walks away with their private stuff, but leaves personal company passwords.

ATTENTION: Make it clear to your users, that this is a convenience feature, that lowers the private security a bit. There is a theoretical possibility for company admins to hijack a users account and get access to their private passwords. But that would always be noticed, it creates a lot of notification mails and in the end the user can't log in with his own password, because it was changed during the process. So the villain would be caught immediately (and will face the consequences like being fired, get sued and so on) and the user knows what passwords where compromised and need to be changed.