How to Manage Passwords for Your Organization

Hello and welcome to another episode of Design and Influence. Today, we go into details on how to manage passwords for your organization. This is one of the critical components of running a firm successfully. Your team can safely and securely access the information they need to do their work by adequately organizing passwords in an electronic password manager like LastPass. This management strategy is what we will discuss today because we think it is the best bet for your organization. 

Here to help us unpack this story, get deeper on the and subject, and show you a little more high-level techniques on how to set these programs up is the CEO of ArchIT company is Boris Rapoport,  

Why Does It Make Sense to Use Integrated Electronic Passwords Management Systems in This Day and Age?

The answer is relatively simple because to maintain sanity and keep the services that we use online or in other places safe and secure, we need to use complex passwords. We also need different passwords for each of the sites to ensure that even if one password gets compromised, all your other services do not become vulnerable.   

It is humanly impossible for us to remember all those passwords; that is why we need to use a tool, an electronic password manager like LastPass, 1password, or Dashlane. We need to use one of these tools to keep all our passwords easily accessible so that we only need to recall that one password that gives us access to the manager. 

What are the Differences Between LastPass, 1Password, and Dashlane?  

They are pretty similar since they are all password managers that give you additional tools to share passwords within the business, change things, set up an organization, and limit passwords visibility to different people.   

As part of the selection process, you want to make sure you are using a business-grade solution. Ensure that they have an app or a plug-in for any browser or operating system you may be using. For example, if you use Mac Office or Safari, you need an app or plug-in compatible with this software. Think along the lines of how it’s going to integrate into the rest of your business.  

All three managers we mentioned earlier will cover all bases for your business. However, if you are looking outside of these options, make sure you pay attention to interoperability and whether it is a business solution and not just a consumer-grade. This matters a lot on the back end because the tool must be certified for the highest security levels.  

A word of advice before you use an electronic password solution; reach out to your IT team and get a consultation on what tool to use.  

How Does Setting Up the Password Management Structure Work Conceptually? 

Conceptually, it works as any folder structure would. You can imagine it as a container housing a specific set of passwords. Of course, you can choose to organize it to mimic the departmental structure of your firm. For example, your firm may have accounting, HR, and marketing, so you want to ensure the way you set up LastPass in a way that represents your real-world organizational structure. This way, you can easily invite or remove staff access from specific passwords that only they need access to from those they don’t.   

Using a departmental structure for your electronic password management framework lets you quickly understand who needs what. It also facilitates efficient management when people leave.  

How Would a Departmental Framework for Electronic Password Manager Work for an Architectural Firms Operations?  

There is no need to segregate password access for operational staff in an architectural firm. This is because most of the roles in architectural firms (e.g. designers, design assistants, and those who deliver designs to end-consumers) need access to similar tools and the same level of tools.   

What is more important for the firm in this scenario is breaking out more sensitive information like those used by HR, finance, and maybe a marketing.  

What are the Essential Components of an Organization’s Password Management Policies? 

“Policies” in this context means configuration settings in your LastPass or Dashlane. LastPass, for example, allows up to 60 different configuration settings. Within these policies, a few are critical, e.g., making sure you understand what happens when a person leaves. There is a policy that controls this setting, and you want to make sure that you enable the administrator of the LastPass account to take over the passwords of the last person left. 

Because one of the benefits of the business password manager is that when people put passwords in it, you can control those passwords. This helps you avoid scenarios where, for instance, a marketing employee sets up a Mailchimp for your business with their username and password and then leaves, and you don’t have the policy to take over that password. With LastPass, when you can delete their account, that password goes with them.   

Another policy deals with whether we should allow end-users to reset their own master password or restrict this capability to the administrator. From a security standpoint, we want to ensure that the administrator has control instead of individual users because if an individual employee gets hacked, we don’t want their LastPass password to be easily resettable.  

What Does the Tool Look Like and How to Set it Up?

Watching the related video will help you with this show-and-tell. However, we’ll try to describe the concept of password manager using our hosts’ conversation from the video.   

Boris: So, on my screen right now, what we are seeing is a brand new LastPass business account, and I’m logged in as an administrator.   

Alex: I’m seeing everything as those who are listening. So, I’m seeing a LastPass log in with a mostly blank screen, some information, and a search box.  

Boris: First thing I believe we need to look at is how to create a password or create a folder containing passwords. Based on those folders, we can give permissions to different people/departments to have access to those passwords. So, I’m going to click on “add item”. It’s the little plus sign right here.  

Alex: it’s the plus sign on the right bottom.  

Boris: Yep. and then I’ll even name what this account is for. Let’s start with marketing, so I’ll name it “Mailchimp Admin Login”. We don’t have any folders here, but we can create a folder called “marketing”. Then we give it a username which is usually an email address and follow up with a password. Whatever password we used when we signed up for the LastPass account will be keyed in automatically. But since we are doing a manual demo creation, we can put in a password in the field displayed here. The cool thing about LastPass is that you have a password generator tool that allows you to generate passwords of variable complexity instantly. But let’s just stick with the minimum requirements.  

Alex: May I go over this point quickly. So, with LastPass, you can generate a password on the fly as you sign up for services, reset your password for existing services, and you can also tell it how many characters? Use all characters? Upper and Lower case, symbols, numbers? No matter how complex requirements are for the site you are signing up for, LastPass can generate random passwords based on those requirements?  

Boris: Yup. So, I’m just going to take this suggestion [from the password generator] of 12 characters, a number, upper and lowercase, and I’m going to copy it out of there and paste it into here [field in the “add password” pop-up] and save.  

Alex: The first field in that box [“add password” pop-up] we just filled out was “URL”, and it represents the destination or site as in this case: www.mailchimp.com.  

Boris: To better understand how this works, let’s visit the Mailchimp website, sign up, and generate a password we can use. Now we discovered that it also needs a symbol [this is not generated by LastPass password generator at the minimum requirement.  

Alex: Hmmm, so as we are signing up for Mailchimp, we discovered it required a symbol, so Boris is going back to the generator, which you can easily pull up as an app in your browser.   

Boris: One thing here, when you run the browser plug-in for LastPass, which automatically allows you to save passwords, many sites will show the “generator” symbol in the password field. This lets you generate a password right in the browser. If you use this method, you may have to go into your LastPass to do some additional organizing. Like now, we have two passwords in our account, but the first one, which we created manually, is already in a folder (marketing) while the one we generated in our browser is not. All we need to do is move the new one into the “marketing” folder to solve this.  

Sharing Passwords 

Next, we will discuss LastPass mechanics on how it works when we are inviting other people into the folder. These people you invite can come from outside your organization provided they have a LastPass account, or when you share it with them, they can create one and get access.   

The first step is to go into the “sharing center” and add a shared folder called “shared-marketing”. The caveat here is that when we create a shared folder, it creates a brand-new folder. This occurs for security purposes, ensuring that any passwords you share with people go into this shared folder, and you can’t share them right away from that “marketing” folder by default.  

By clicking on “manage shared folder,” you can share it with people or groups. You can give them permissions like “administrator” that allows them to give others permission or “read-only”, which restricts them from editing or copying the passwords but can automatically access sites with the passwords.   

Security Score 

This score tells you how safe your organization is by answering questions like, “do you have any at-risk passwords, e.g. not complex enough, found on the dark web?”. Since these management systems store all security information for your organization, you want to make sure that when people log into this, they should have 2-factor authentication.  

Here you can also manage devices that you trust and permit devices. The system will show you which devices you have set up. These are devices that don’t have to do the 2-factor authentication every time you log in. Instead, you do it once every 30 days.  

How Much Does LastPass Cost? 

There is a free version of LastPass, which works only on one device but allows you to test out its capabilities. However, if you want the business version of the tool, it costs about $4.50 per seat for the “Team” version. The Enterprise version offers additional features like integration with your active directory if you use an internal integration with many other tools that you may already be using as part of your IT. This highly functional option goes for $6 per user a month.   

The Team version is an excellent starting point for your business which allows you to have those shared folders, take over passwords of people who leave, and do a lot more.   

We are ArchIT, and if you need help setting up your password management system, you can reach out to us at getarchit.com

If you have questions or need help please reach out to us. ArchIT specializes
in providing IT services for architecture, design, and engineering firms.