Editor’s note: Our friends at ArcStone reached out to us to talk about their experiences with password management software. Here’s their take, written by Chloe Mark. What do you think about password managers? Is there one you like? How can password managers be better?
With the plethora of apps available to businesses in 2016, many of us have come to rely on these tools for our work. At ArcStone we manage projects in Basecamp, communicate to clients via Basecamp and Trello, coordinate with team members in Slack, and manage company hours and invoicing in Harvest. This doesn't account for the several other apps each of our team members use personally.
One of our main issues is not the apps themselves, but managing the security of each unique login. A password manager is one method for keeping these accounts secure, but we have yet to find the right fit. In this post we'd like to point to the issues we have with the current state of password managers; review one of the most popular managers out there, LastPass; and suggest changes future developers should consider.
The Current State of Password Management
We wanted to make sure we tried out several popular password managers to understand what's missing from all of them. Our head of IT, Alicia, has used Master Password and KeePass finding them both effective for personal use. However, as a business we crave an app that can easily set up accounts for all of our employees. This would mean the app can set up new accounts for a new employee and remove accounts for any former employees.
This is why we also tried LastPass Enterprise (now joining forces with Meldium). which is intended for company use. It seeks to make all your apps more secure by keeping your employees' passwords strong and removing the accounts of anyone who no longer works with you.
According to a few of our employees, here are some pros of LastPass:
- It was easy to use. Once you install LastPass, with each new site it detects a login for, it will ask you if you want to store your password. If you select yes, it walks you through a simple two-step setup. If you select no, you can disable the app from remembering a password with just one click. It also makes it easy to generate and install a new password. Command line interface is available, also improving its UX.
- It sends alerts. Alicia especially liked how it notifies administrators whenever an employee is reusing a password across several accounts, so you can kindly ask them to update their passwords. An administrator can track logins on each account if there is a need for more thorough monitoring.
However, the cons were what dissuaded us from committing to this tool:
- It doesn’t work outside of a browser. It didn't ask to save passwords for any desktop apps, which becomes problematic when half of our apps aren't used in a browser.
- You’re always logged in. It keeps you logged into LastPass even when you've shut down your computer, so if any unauthorized user gains access to your computer, they also have access to ALL your accounts within LastPass unless you manually logged out of it.
- It makes input fields look strange. We found it seems to mess with the way some input fields get displayed. Especially if the field has a placeholder.
- The admin interface is not user friendly. From the perspective of our head of IT, it has a fairly "clunky" admin interface.
- Updates are a challenge. It's difficult for admins to add new users or distribute login information for any additional app
- It’s not transparent. It's closed-source software, making it harder for IT workers to find bugs before they commit to the product and slowing down the response time to security threats.
- Most importantly: It shows signs of being insecure. It has a "forgot password" tool, which means that the strength of your master password is only as strong as your email account’s password, which is only as strong as the password for the old email account you set up in 2001, etc.
What Our Dream App Would Look Like
We recognize the challenge this type of app entails, keeping recent security hacks in mind. Still, in our dream world, a password manager app would include:
- A secure application holding all required certifications.
- Password storage and generation so that employees are encouraged to create secure passwords, plus automatic notifications to admins when users don't do so.
- The ability to manage all passwords—both within browsers and with desktop apps. This includes a feature that logs the user out once they have left their computer.
- A great user experience for both employees and admins, especially to make onboarding and removing employees is not such a hassle.