Pub. 6 2016-2017 Issue 2

18 O V E R A C E N T U R Y : B U I L D I N G B E T T E R B A N K S - H E L P I N G C O L O R A D A N S R E A L I Z E D R E A M S Password Managers PRESTON CURRY CONETRIX Look into the access controls available via the password managers. Employees should enable the strictest levels of authentication possible. L et’s have a password discussion once again. We all know the problem: multiple special characters, longer is better, avoid dictio- nary words, etc... As a result, many of us have opted for passwordmanagers such a Lastpass, Dash Lane, or 1password to manage the multitude of credentials we must use on a daily basis. My question is: do your organization’s controls cover the use of these third party password managers? Institutions, no matter their size, should seriously investigate their personnel’s use of these password managers. We routinely encounter customers whose IT staff utilize such services but not always at the enterprise level. Even if your institution is currently using an enterprise option, it would be advantageous to ensure policies cover the following: controls utilized by the password manager, mixing of personal and professional credentials by your employees and post-employment access. Look into the access controls available via the password managers. Employees should enable the strictest levels of authentication possible. Enable two-factor authentication, require the password manager to auto logoff within an hour, and restrict access to trusted devices and IP lists/regions. Additionally, just like any password, require the change of master passwords every 90 days, at a maximum. These basic controls can mitigate the risk involved with having so many credentials located in one place. These managers often refer to our credential lists as ‘vaults’ – we should treat them that way. Another basic control we can implement is the separation of personal and professional man- agers. Many, if not all, password managers utilize browser plugins and mobile applications to access the vaults. If mixing of personal and professional managers is allowed, every time your employee logs into their social media, webmail or banking account via the manager, they also unlock your institution’s credentials as well. The controls mentioned above help mitigate the dangers of mixing accounts but ideally your employees personal credentials will be separated FEATURE ARTICLE