by Elliot Christenson on November 15, 2017 - 10:16am

You spend so much time writing secure code, and doing security updates, but you're putting all of that in danger with your wiki. A huge percentage of agencies put passwords into wikis - and other shared resources!!!

Using a shared Google/Office document, spreadsheet - even with black text on a black background - isn't much better! So, think of "wiki" in this context as being any "low-cost, low-security, high-accessibility, super-convenient storage."

You are putting your agency AND your customers at risk by keeping passwords in your company wiki!

Read more to find out why, and a better way to do it!

Wiki Pros & Cons

(From Wikipedia) "A wiki is a website on which users collaboratively modify content and structure directly from the web browser."

If you aren't familiar with wikis in business or organizational use, you certainly are familiar with Wikipedia - and Wikipedia's main detraction: security.

When you quote Wikipedia in an argument, your opponent will likely retort with "Anyone can write anything in Wikipedia." While Wikipedia has millions of users to help mitigate the risk of breaches: they do happen!

That brings me to the first of the "cons":...

Con: Security

Security of your wiki is suspect: it keeps data in plain text, so if there's a security issue in your wiki software, someone could get the data out! Wikis are run using common databases, and the information is almost never encrypted. A wiki makes no distinction between some shareable information like customer service instructions - or private information like passwords.

Users in your organization will likely all have access to this! Even people who have no reason to have access them!

And that's if you do everything else right from a security standpoint!

Con: Access Control

Sometimes Wiki software can allow you to have different permission groups. You may want some users to be able to change things - others to only read.

In most cases, the entire wiki is accessible to everyone who has access.

Again, that's if you do everything else right from an access control standpoint!

Con: Password Hiding

Again, because the passwords are "in the clear", they are likely to be less complex, easily copy/paste strings of letters and numbers. If they are "bad" passwords with little entropy, they are easily memorized by users leaving the organization. If they are complicated, they are vulnerable to copy/paste malware!

Con: Accessibility

What if you have to share a password with a vendor or a client? What if you need to access your passwords from the road? From home? From your mobile device?

Sure, there are VPN's, but that's a complication that can cause other issues with whatever you're doing. Alternatively, you could give the world access to your wiki too, but obviously, that's not a great idea!

Those are all solvable problems, but large organizations have complex needs - and often regulatory needs - while small organizations have smaller budgets. Running your own security infrastructure is tough enough when the stakes are low!

Pro: Free

Hey, there's a reason why these things get started! However, while the software is free, training people in your organization on how to best utilize tools like wikis is certainly not free. Plus, as you'll see below, password managers are low-cost - and sometimes even have free options, depending on your use case!

LastPass Pros/Cons

and 1Password...

We talk about LastPass in this blog post because that's what we use at myDropWizard. We have some passing familiarity with 1Password (which appears to have better team grouping features), but for the most part, everything about LastPass is also true of 1Password.

Password Managers - of which LastPass and 1Password are the most common - take a lot of the work of running your own password security out of your hands. Let's go through the Pros and Cons again. This time for LastPass and similar products.

Pro: Security

LastPass is a web based service that holds your passwords. The passwords are encrypted using vetted security methods using your LastPass password as the encryption key. Because the passwords are encrypted while stored and transmitted, not even LastPass can access your passwords!

More details are available about that from Steve Gibson's awesome analysis on Security Now Episode 256. The goal of a password manager is to be convenient but also secure.

LastPass runs as an app on Android, iOS - and as a browser extension for Mac, Windows, and Linux in Safari, Opera, Chrome, Internet Explorer and Microsoft Edge.

The clear-text passwords never get seen or stored by LastPass or your fellow employees!

That said, LastPass allows you to securely share passwords between accounts. Even that is encrypted properly!. It's simple and secure.

LastPass even offers "2FA" Second Factor Authentication.

Pro: Access Control

The reason these password managers are essential to the workplace is the sharing and access controls. If a password changes, you want to change it across the organization - without calls to your help desk! If an employee leaves, you want to revoke their access - for your protection as well as theirs!

In most cases, the browser extension will simply fill in the password! How is that not better than copying and pasting from a wiki!?

It's really about as good as we can hope to achieve without more standardization in the way passwords are handled across websites!

Pro: Password Hiding

LastPass Enterprise allows shared folders, so you can put your passwords into one of these folders and no single employee has to ever even know the password.

Except in rare circumstances, even copy/paste is not necessary!

Pro: Accessibility

You can go to LastPass.com and logon. You can use the mobile apps. You can use browser extensions. As easy as it can reasonably be expected to be, you have full access to all of your passwords! They handle the security, but you can access it freely from anywhere!

Con: Free

Since I'm talking mostly in the context of an enterprise, LastPass is not free. Neither is 1Password. However, they are low-cost.

1Password is $3.99 per "team member" and LastPass is $48/user/year (at most --- larger organizations get slight discounts). So: $4 per month.

LastPass does have free use for individual users - both in the browser and now even in the mobile app. Obviously some of the "team password sharing" features won't work, but you still get all the security if you are in-charge of your own security or are a sole-proprietor!

What About Chrome Saved Passwords?

What About Apple Keychain?

Firefox?

Chrome is the number one browser. If you log-in on your Google Chrome browser using a Google account, Chrome will allow you to share your passwords anywhere you use Chrome (Windows, Mac, Linux, Android, iOS). However, there isn't good sharing of passwords in place.

If you're saving your own passwords, this is preferable to a paper notebook or a desktop note document on your device.

Similar to the Chrome, Keychain is Apple's secure password vault. It works with Safari and elsewhere in macOS and iOS.

Finally, Firefox also has a similar system for sharing passwords between your Firefox browsers on different devices!

Summary

Use a password manager! You don't like LastPass or 1Password? There are others! A quick search showed a recent article listing some I've never used! The Best Password Managers of 2017. (Spoiler alert: LastPass gets a 5 out of 5 Editor's Choice Rating). Wikipedia has another good list!

One other tool that most password generators offer is a password generator! If you refuse to get an encrypted password manager for yourself or your organization, at the very least use secure passwords!

A good resource for generating passwords is security guru Steve Gibson's GRC's Ultra High Security Password Generator. However, I use LastPass's password generator which allows you to tailor the password generation to follow the (sometimes insane) restrictions put on users for what sort of password they can use.

The bottom line, storing things in a wiki is even worse than writing passwords down in a paper notebook. Anything is an improvement over that, but for at least the past 7 years, I've been using and loving LastPass.





Want to read more articles like this?

myDropWizard.com blog Subscribe to the myDropWizard.com blog and recieve e-mail updates when new articles are published!

Add comment

o