It’s #WorldPasswordDay2021, and that means some good advice on what the heck to do about passwords in a work context! I gave my personal advice over on twitter, and you can find that thread if you want, but I want to tailor this more toward the IT Admins and business decision makers they work with every day.
Passwords are the difference between your business foundering and flourishing, and if you said to yourself just now “Tom, you are high as a kite,” well, I can assure you the only drug I’m on right now is my morning coffee and 15 minutes of time in the Calm app. Security is a make or break part of your business whether you recognize it or not. One small mistake by a production engineer who reuses a personal password that shows up in a breach somewhere can mean the difference between a huge payout to affected customers.
So, here’s my advice:
- Get a directory. If you don’t have one, I think it’s safe to say I recommend looking at JumpCloud, but providing a strong single sign-on environment, backed up by good security and multi-factor authentication is critical. Your goal here is a better, more automation-focused admin story for your department.
- Once you have a directory, you need to use it. Bind as many applications as you can use to SAML, OAuth 2.0, OpenID Connect, and WS-Federation. This is a great way to make your employees’ lives easier, and it will reduce the amount of time you spend resetting peoples passwords in all the services you tied together in step 1.
- Get a company Password Manager. I really recommend 1Password for Business, not least of which is because they have a good SCIM gateway, and you can also gift your team members a free Families license with each seat. Use the Vaults feature to create good walls between departmental passwords, and use an Audit team to allow IT admins to help deal with this adventure.
- Train your co-workers on how to handle breaches. Not just the engineers. Not just the execs. Everyone in your organization should know how to deal with a password breach event, even if it’s just their own personal password that got breached. This training should focus from the start on empathy toward the person dealing with the breach, because the last thing you want to feel in this moment is shame, because shame leads to silence and hiding what happened. Focus instead on rapid response and restoring things to good order. This is like dropping a glass in the kitchen. You can feel bad about it for a second, but everyone’s done it, and it’s important to clean things up before someone gets hurt. That’s all. Grab the broom and a mop. It’s cool.
- Revisit your old decisions on password security periodically. If you’re still rotating passwords every 90 days, are you really doing something security smart, or are you following bad old guidance? Are you making it possible for people to use Password1! as their password still? Maybe it’s time to require a good 15-20 character passphrase, but lift the number/symbol goofiness. “It’s always been that way” can be a recipe for a problem.
- Have a manual of key identity information for your department. Keep it locked up with someone important. Keep it updated. Make sure someone outside of IT could help with your organization’s security if you were sick or otherwise out of the office. This is about caring for your team in the event you can’t be there to do the job in the moment.
Passwords are probably the worst part of working with computers for your co-workers. Do what you can to make them have to deal with fewer passwords by adopting the above. And take a look at how JumpCloud approaches Zero Trust.