Why Your Company Needs a Password Management Policy

Password lock smallLast week, we contacted a client to coordinate a site server upgrade, which required a DNS change. The response we got was a little alarming. The client’s IT Director had left and nobody knew where the password to their DNS registry was kept. Ouch. I had lunch with a friend who said he keeps passwords in Outlook. Another friend said she has an Excel spreadsheet on her desktop. Eeek.

Passwords are the trickiest things. These days, we need them to be long and difficult to crack, they need to be unique across systems, and they are ubiquitous because everything needs a password. We read a lot about personal password management, but what about corporate password management?

Think your organization doesn’t have a lot of passwords? Think again. Chances are, your organization has passwords to:

  • Online financial and payroll systems
  • Payment processors
  • Social media sites
  • Sites where you purchase equipment and supplies
  • Web hosting and DNS passwords
  • and on and on and on

Where do you keep all these usernames and passwords, how do you manage them and who has access? Is your organization at risk if someone in a key position leaves and either takes the passwords with them OR leaves you without a clue as to where the passwords are kept (or not kept)?

Don’t panic. Here a few things you can do to get started with a company-wide password management policy.

  1. Identify the company-wide accounts that need to be accounted for.
  2. Determine who has this information and collect it.
  3. Come up with a system for storing and limiting access. The system could be as simple as 2 people have access to a notebook where all the passwords are kept and everyone in the organization knows to give their passwords to these folks.

Here at Matrix Group, we used to use KeePass to manage our company passwords. We had multiple KeePass databases, including one for the services team, one for IT, etc. But we’ve outgrown KeePass because we need more granular access management. So we’ve implemented Secret Server, which is software that helps companies store, distribute, change and audit passwords. Some passwords are limited to myself and the Director of Administration, while some passwords are accessible to multiple staff working on a project. I like Secret Server’s audit trail and we’ve created a system whereby certain team members can grant permanent or temporary access to passwords.

Isn’t it time for a company password management policy?