Episode 031: Blueprint Series #1 Passwords

TEN7 is embarking on a series of episodes where we hope to explore the components of this thing we’ve called Blueprint. First component up is an examination and discussion about password management; how we share passwords, what passwords we actually use and how it affects our security, the security of the people we work with, our systems. 

Here's what we're discussing in this podcast:

  • TEN7's new podcast series Blueprint
  • Password management; good and bad habits
  • Saving passwords on Google Drive is a no-no
  • The physical security problem
  • The good, bad and ugly of computer-centric password storage
  • The privacy graveyard also known as public wi-fi
  • The Mac Myth
  • What goes into Google Drive stays in Google Drive
  • Operating system level password managers
  • Effective password management services
  • Multifactor security
  • Biometrics and security
  • Should have paid closer attention to Gattaca

TRANSCRIPT

IVAN STEGIC: Hey Everyone! You’re listening to the TEN7 Podcast, where we get together every fortnight to talk about technology, business and the humans in it. I’m your host Ivan Stegic. We’re doing something a little different over the next few episodes of the podcast. As part of our forthcoming release of something we’re calling TEN7’s Blueprint for operations, we’re embarking on a series of episodes where we hope to explore the components of this thing we’ve called Blueprint. We’re going to try to capture and open source the very many components we think makes our team tick. This isn’t DevOps, but DevOps is a part of it. It’s not just about software development or even specifically for the web, but that’s a part of it too. It’s more about the things that we do as humans on our team, as part of our daily routine to publish the work that we do and also the mutual respect and understanding of how we work together. It’s also about the tools that we use to make this work happen, and I think of Blueprint as being comprised of a number of different components, for example, making sure we all have a shared understanding of what our branching strategy is within Git, respecting that we have four different environments, live, stage, test and dev, but it’s also about relying on the backups that our system implements and other non-development stuff like password management. So TEN7’s Blueprint for Operations will eventually be published on GitHub as a repo, and hopefully other people will use it too, if they want to. We’ll be supporting it, we’ll be using it, and we’ll be talking about it as well. One of these components as I just mentioned is password management. How we share passwords. What passwords we actually use and how it affects our security, the security of the people we work with, our systems. It’s an important part of Blueprint. We handle sensitive information on behalf of our clients and each other on a daily basis, and we want to be respectful and secure about how we do that. Our newest team member Charlene has helped us craft some wonderful copy for our website and for our proposals, and you’ve heard her on our podcast before. Now apparently she has some questionable password management habits. So, starting the Blueprint series we’re going to start discussing password management, and how that forms a component in our daily work. We’re having an intervention in password management today. Charlene, of course, is joining us. Charlene Jaszewski.

CHARLENE JASZEWSKI: Perfect.

IVAN: Thank you for joining us. And, also, Tess Flynn is joining us.

TESS FLYNN: Hi.

IVAN: Hi Tess. Ok. I’m glad we’re having this discussion.

CHARLENE: It feels like an intervention.

TESS: Out with it. How do you keep your passwords?

IVAN: That was going to be my first question, exactly. How do you keep them?

CHARLENE: Ok. In my own defense I think I thought I was smarter than I actually am. I think like most people, I’ve got a Mac and my Mac saves a lot of my passwords for me, so I don’t have to remember them and the ones that it doesn’t. Tess you’ve already flogged me about this. I keep some in a Google Doc on the drive.

TESS: Ooh. And it’s on Google Drive too. That’s even worse.

CHARLENE: Well tell me why that’s so awful. I have a password on it.

TESS: Alright. So let’s talk about password management techniques prior to the solution that I’m probably going to recommend. The first most common one is to write it down, and there are plenty of memes around us but you’ve probably heard of might have a family member who might have an array of post-it notes around their monitor about different logins that they have. There was an internet meme that went around where there’s a literal password book that says Passwords on the cover that you write them down in.

IVAN: Very secure. <jesting>

CHARLENE: You can buy those books.

IVAN: You can, and you shouldn’t. You shouldn’t buy those books.

TESS: You really shouldn’t.

CHARLENE: I like stationery stores and there’s tons of them there with all my passwords, and you know grandmas and grandpas are buying them for themselves.

IVAN: Don’t do that.

CHARLENE: I don’t. Can I get some credit for not doing it in a book?

IVAN: Well...

TESS: The thing is that if it’s in a physical book, then it’s a different security problem that you have to deal with. It’s a physical security problem. So now you have to worry about is your working environment physically secure. So, that’s going to include—do you have locks? Do you have that book in a locked drawer? Do you have it just locked in your house? Can any of your guests just walk through and find your credit card number and your bank login and charge you for their time while you’re visiting them. Or is any of this stuff visible from a window, because it is possible to actually scrape that visually using telescopic lenses, telephoto lenses or telescopes in order to grab the passwords when they’re just physically open. There was an excellent example of this where someone is on a rooftop with their laptop, and they have their keys on the desk, and the keys have attached to them a RSA-secured number key and you could see that from the telescope from another building a block away, four stories up.

IVAN: Yep, I read that.

TESS: That’s a physical security problem. Human beings have long since managed physical security. So in a lot of cases we’re a lot better at it, because it’s more intuitive. But, now let’s talk about computer-centric means of storing passwords. The most common one is the passwords.txt approach, where you have a file on your computer that has all your passwords in it. There are a few different problems with this. One, it’s in a semi-ephemeral state, because if your laptop crashes, if your hard drive crashes, if you have a cat and it walks over your keyboard while the file is open and then you close it and it autosaves, then all your passwords are gone. Those are all really big problems with the local storage approach. This doesn’t change if it’s a text file, if it’s an Excel doc or if it’s a Word doc. If it’s any file that’s only solely stored on the hard drive. The problem is that there’s a penetration surface that now exists where if your system is compromised someone could scrape your file system, find that file and they’ve got your passwords because they’re all in plain text on your desk. And that’s bad.

CHARLENE: So, they're all warning you now if you’re on wi-fi at a coffee shop that doesn’t have a secured router with a password that someone could just hop onto your computer and get things like that.

TESS: It’s more complicated than that.

IVAN: I think the general rule with coffee shops is if there’s no password that means there's no encryption of your traffic. If there’s a password then there’s some sort of encryption. Which means that no one, in theory, could listen to what you’re saying on the network so to speak. There’s no password, there’s no encryption.

TESS: In theory.

CHARLENE: So Ivan, that’s why you talked me into getting a VPN to protect for that. But that’s a whole other topic.

IVAN: That’s a different discussion, but yes that’s a good start. Well done.

CHARLENE: I did something, yay.

TESS: So the third case—and this is the case that we’re seeing with a lot with people my age and your age Charlene—is that people will store their passwords in a text file in the equivalent of a file on a cloud hosting provider like Google Drive or Office 365. This is actually worse. The reason why it's worse is that instead of having to get into your system and scrape your file system of which your operating system has several different layers of protection, you are now in an inherently foreign and hostile medium that is under constant attack because everybody knows what the URL to Google Drive is. If there’s a slip up in Google’s configuration, or you mistakenly share a directory or the file itself in your Google Drive, you’re compromised and there’s no way to walk that back.

CHARLENE: Even if I set a password to the document?

TESS: It doesn’t matter. They’ll be able to find a way around it.

IVAN: But the password makes you feel better, but it’s not a protector of that file. In fact, as Tess was alluding to, your local system is actually harder to penetrate than Google Drive is because it's physically in your presence. You can switch it off and you can see it. Someone needs usually physical access to it to get to that file.

TESS: And we’ve had more years behind that kind of security than the kind that would be for an online service, like just putting it in Google Drive. And Google Drive does not assume that the files contain sensitive information by default.

CHARLENE: I did not know that.

TESS: And that is the problem.

CHARLENE: In my defense too, I guess I had a false sense of security thinking that Google is the behemoth of the world, they have to be somewhat secure.

TESS: It’s reasonably secure, but you also have to remember that anything that you store on there that’s in a format that you can read without any additional layers of technology on top of it, so can they.

IVAN: And so can anyone who gets to that file.

TESS: Or breaches her login.

IVAN: Right. That’s right. So if you share that file with anyone or you have your Gmail account compromised they will have access to that file as well.

CHARLENE: Hold on a second. If my Gmail account is compromised, they would have access to my Google Drive?

IVAN: Right.

TESS: It’s the same login.

CHARLENE: Oh duh. Yes. I feel stupid now. And I’m usually pretty smart about these things. Apparently, I’m not. And you know what else I end up thinking too is, for years it was like Macs aren’t hackable right?

TESS: <giggles> That’s not really true and it never was true as a matter of fact.

CHARLENE: They’re less hackable than Windows aren’t they?

TESS: Well let me put it this way. If you actually go to a big tech security conference, you never see a Mac. People who work in the information security business don’t use Macs. There’s a reason for that. They tend to use Window systems. There’s more tooling around information technology security in the Windows world. Mac OS and Apple in general like to use one particular tactic for security above all else, which is obscurity. The problem is security through obscurity is not security. It’s a nice tactic to sell it. And we’ve been seeing in the last six months there have been major, major breaches of Mac OS that go back seven years of vulnerability, that they’re only now fixing. So Mac OS has never been unhackable. There is no unhackable operating system.

IVAN: Ok, so now that we know you use one master Google Doc to store all.

CHARLENE: I didn’t say all, I said some.

IVAN: Some. Ok. So you’re storing your most…

CHARLENE: To any hackers listening right now…

TESS: The other problem is that it’s also undeletable off of Google Drive.

CHARLENE: What! Even if I take them down now I’m still screwed?

IVAN: Yeah, you’re still screwed.

TESS: Because they’re persistently stored in Google’s cloud even after deletion within the Continental United States, because they can do that.

CHARLENE: No one told me that.

IVAN: You can’t assume that when Facebook or Google or a behemoth says that they’ve deleted something, that they’ve actually deleted it. I think you have to assume that they just flipped a flag that makes it look like it’s deleted to us.

TESS: This is why GDPR exists, because a lot of organizations did not delete things, and they had to actually sue and make a law to force their hand to make them delete things and this is why GDPR was written so broadly and why any company that’s supporting business from the EU now supports it. And some companies have outright said “fine, we’re just not going to do any business in the EU,” and you could tell what kind of scruples they have.

IVAN: Exactly. So Google Doc storage bad right? What’s the answer? What should we be doing?

CHARLENE: Well hold on a second. What about the flipside? Like I said, most of my passwords I let my computer store and why’s that bad?

TESS: Well, ok. So, when you say “I let my computer store” that is kind of generic, and it depends on the particular mechanism that is being used to store it. Because there are multiple operating system level password managers. OS10 has Keychain which is the operating system-level password management system and that’s reasonably secure because it’s locally stored. I do not believe that it’s backed up to iCloud, I could be wrong about that. I believe it is also locally encrypted.

IVAN: The Keychain Tess, just to interject, you can check a box and have it, not backed up to iCloud but shared amongst all your devices in which case I think you have to assume it’s stored in the cloud.

TESS: Oh, that’s stupid.

CHARLENE: Yea, because when I just updated my OS on my new computer I noticed that something I’d entered on my hard drive as a password showed up on my phone that I know I hadn’t entered on my phone.

TESS: So, yea, that’s backed up to iCloud.

CHARLENE: That’s not cool.

TESS: No, and it’s billed as a convenience service, but it’s also one of those “it works so well and I don’t have to think about it.” Exactly. You don’t have to think about it. How are you vulnerable then? What don’t you know can hurt you a lot when it comes to security.

IVAN: I think it has to be said Charlene, all of the usernames and passwords you have in your Google Drive right now in that doc, you are going to need to change all of them. I just want to make sure we actually say that.

CHARLENE: Yes. Agreed.

TESS: At least the passwords. Usernames are a little bit less of a thing to change actually. They can be publicly known entities, and at that point, they might as well be considered public information.

IVAN: Thank you for clearing that. I did mean passwords.

CHARLENE: Well, I’ll be out the rest of the day then, so cancel my meetings. So what should I be doing after I change all of my passwords Tess?

TESS: You should probably be using a password manager. And, the password manager is going to be a dedicated piece of software, which is intentionally designed to store secure and compromising information like logins, bank numbers, credit card information. Most of them are intended for password management only, but they also store other stuff. The reason why these are solutions to recommend is that they organize it fairly well, they have a very good focus on integrating with the operating systems and devices that you use so that it becomes easier to use. They are all encrypted by default, and they all have a security focus by design, which is something that you can’t say for Google Drive. And, there’s a number of different password managers you could use. There’s OnePass, there’s LastPass. I think TunnelBear has RememBear which is a new one.

IVAN: There’s BitWarden that I also like. I don’t know if you’ve heard of it before Tess, but it's open source and a service and works much like OnePass and LastPass are.

TESS: And all of these fall under the category of a service. So this is a password management service. Now there is also local password managers, which are dedicated to only store passwords on a local file system. These are going to be things like KeePass and there’s another one that’s a Unix-centric one that’s just called Pass, because UNIX and those tend to be open source completely and they do pretty much the same thing. They organize and manage passwords, but they also do one other thing which is perhaps the best thing you could do with passwords, it generates them. The best most secure password is the one you can’t remember, because not even you know what it is.

CHARLENE: So it’s all that big bag of random letters and numbers right?

TESS: And symbols. Yeah. The reason why that’s the best strategy to go with is because you’re no longer sharing passwords which is a common thing that human beings like doing, because human beings only have a limited memory capacity and they tend to like using the same password over and over and over again in multiple services. And by the time you get to about seven different ones, you can’t remember the difference between them, and it gets way too complicated to remember, and that’s where these password managers step in. They allow you to remember just the site, or the name of a thing and then match that to whatever random password you generated for it. And this is another good thing. If the service that you’re using that login on is compromised, and your password is compromised, none of your other accounts are compromised, because none of your other accounts have the same password, and you just have to invalidate one instead of everything or a lot of things.

IVAN: I think what you’re saying is it reduces the size of your vector surface, your attack surface. And the other thing that random passwords do, or at least generators do, is it allows you to create a password that’s very long. So, if you’re not going to be remembering that password, there’s no reason why it has to be eight characters or ten characters or 15 characters. You can set that to be 32 characters, or 64 characters. The longer a password is that you don’t have to remember, if someone is going to try to break into your account with some sort of brute force attack, the longer the number of characters in your password, the longer they have to spend in computing cycles to try to break that password. And, it’s exponential every time you add another character to that length the computing time goes up, not by one or two, it goes up more than that.

CHARLENE: Well, that was going to be my next question. If someone breaks into, say I do 1Password, because I know you mentioned that before Ivan, so then if someone breaks into my 1Password account they will have all my passwords?

IVAN: That is true. So, if you use a password manager, the single point of failure, or the single point of entry is that one password that you have to remember to get into the password manager, because the password manager will use that one password not just to allow you access to your own things, but also to either salt or encrypt the data that you’re storing. So that in theory they aren’t able to get to that information either and neither will anyone if they get the storage medium or the files where all of that information is stored they will still need your password to get in there. And so, a company like 1Password will do everything it can to get you to create a master password, a master phrase that is very long that only you will likely be able to remember and that won’t be easily cracked. And then it does things like have you write them down, write that password down in an emergency backup piece of paper and then take it to the bank into your safe deposit box or fold it and put it somewhere else that’s secure, so that if you do happen to forget your master password, there’s a method to recover it. If you don’t have that backup you are literally screwed, because you won’t be able to get into your passwords.

CHARLENE: I’m surprised they don’t do something like a multifactor authentication.

TESS: They do. Most of these services also support multifactor authentication.

CHARLENE: Can you talk about what multifactor authentication is?

TESS: We definitely should do that. That’s another means to actually add…

CHARLENE: Funny how I know this stuff, yet I kept my passwords in a Google Doc isn’t it.

IVAN: You know the first step is to admit that you have a problem. I think this intervention is going well.

CHARLENE: I’m sufficiently shamed.

IVAN: Multifactor. Tell us Tess.

TESS: So multifactor security is a mechanism by which you supply generally one key which is a password of some sort and that’s one that you define, that you create and in the case for a password managers master password, it’s usually the one you remember. And that’s ok, but it doesn’t necessarily mean that it’s secure by itself, because the problem is that if someone tries to breach your password, all they have to do is reach your password. Multifactor security adds an additional layer on top of that. Traditionally it's taken the form of something that attaches to a keychain that has a random rolling series of numbers on it. But more recently it’s been smartphone apps and even USB sticks that generate these with no physical outward sign of what’s going on with them. The idea is these numbers are generated by a randomized algorithm. That randomized algorithm is going to be specifically designed to be hard to track what each number is generated sequentially and also it’s going to change on a regular time basis that is predictable, so that one side knows what the seed is for your multifactor security, you have the correct number, both sides can figure out what that deterministic multifactor number is at the same time and if that matches then you can log into your account. However, the problem is that if a third party does this, they don’t have your multifactor key and they’ll get a hard stop, because there’s no way for them—even if they literally have your password—to break into your account, because they still need the multifactor key which they can’t predict without having physical access to one of these key devices. Or knowing what the seed code is and the algorithm behind it, which tend to be a very tightly guarded secret. It has a very minimum attack surface that only happens when you’re signing up for multifactor security in the first place.

CHARLENE: What are your feelings about biometrics, like my fingerprint for multifactor authentication?

TESS: There’s the story of a dad who got his phone bill back and found he was charged $600 in a game. It turns out he had a phone with a fingerprint reader, and his kids figured out that if I want to buy something on the phone I just have to go over to dad when he’s sleeping and touch his fingerprint on the reader. This is why biometrics, in my opinion, is not really worth anything. I think that it’s kind of a fad, and mostly because trying to get that kind of information is very easily spoofed. We leave it everywhere, more than passwords and it sounds like a fancy sci-fi thing because it’s been used in so many sci-fi works and it’s all garbage.

IVAN: I would agree with that. 

CHARLENE: We don’t have retinal scans yet.

TESS: Those are also garbage.

IVAN: Also garbage.

CHARLENE: Really.

TESS: Yes. Because retinal patterns actually change over time with age, health conditions, what point in the month you are in hormone cycles, if you’re fed if you’re hungry. All of these things change those patterns.

CHARLENE: Tess, is there anything you don’t know?

TESS: I know too much of this garbage because I have no life. I’ve been watching sci-fi since I was a kid and have a very practical engineering mindset and my dreams have been crushed so many times.

IVAN: Oh Tess. Oh Dear. Well, the way I think about fingerprints and iPhone X face recognition…

CHARLENE: I do not let it recognize my face. Isn’t it funny? I have all of these concerns about privacy so I don’t have face recognition on and I don’t like using the thumbprint for things, but yet I did that with the passwords. It just makes no sense.

IVAN: No, it doesn’t. What I was going to say was I almost feel like the biometric thing is being used the wrong way around.

CHARLENE: How so?

IVAN: We’re using a fingerprint or a face print to unlock a phone or a device and we’re using that as the password, where in actual fact those metrics are measurements of our identity. Those should really be the username, not the password.

CHARLENE: Ooh, that’s a great idea.

IVAN: Because you can’t change, for example, your fingerprint on purpose right? If my fingerprint was compromised and it is my password then presumably I can’t change it and now it’s always compromised. But if it's an identifier of who I am, it’s the ID, it’s not the mechanism to enter the information about my ID, which is kind of how the police have always used it, right. You see detectives dusting fingerprints. Yeah, that’s my ID. Why did we change switching to using it as a password?

CHARLENE: That’s a really good point. It’s not going to be long before we have like DNA…that’s my password or that’s my identifier.

TESS: No one has seen Gattaca have that.

CHARLENE: I have seen Gattaca. Skin cells...there’s no way to avoid skin and hair cell loss. That’s my takeaway.

TESS: Exactly.

CHARLENE: That’s why people are stupid. And I also watch a lot of forensic file shows and I’m just like, people are so dumb. You can’t avoid leaving your DNA. You just can’t. 

IVAN: We’ve determined that we should be using the password managers and password management is one of the components of Blueprint like I said earlier today. We use 1Password at TEN7. 1Password is wonderful for various reasons. It allows us to compartmentalize passwords by client and by project. It allows us to take those vaults that have those compartmentalized passwords and usernames and share them with our clients, where they can add passwords or change passwords. It allows us to share that information internally with developers and with business folk. And it allows us to document that knowledge in some way online and as part of our other processes. I wonder if we shouldn’t talk a little bit about kind of good password habits.

You’re now using a password manager, and you’re letting the password manager generate all of these new passwords for you. What should your new behaviors look like that might be different than behaviors in the past? In the days of old, you would use 1Password for more than one account, right? You really shouldn’t do that. You really shouldn’t have the same password for your email as you do for your bank account; as you do for your mortgage payment; as you do for your computer for example. So, the first habit you should change is diversifying your passwords. The first thing you should check is “do I have the same password for my email as I do for one or more of my bank accounts? And if I do I should change those first. Likely your email password, because if someone breaks into your email, they can reset any of your bank account passwords. So, that’s probably the first thing you should change.

CHARLENE: But is that moot if I’m having a password manager generate all my random passwords though?

IVAN: That is definitely moot. I think though it’s a continuum because my guess is that people, who haven’t had best practices around their passwords, likely aren’t going to suddenly become best practices implementers and they will likely still want to hold onto some passwords that they can still type in, like their email.

CHARLENE: Baby steps.

IVAN: So baby steps. Yea. Baby steps.

CHARLENE: Ok, so the number one thing is make sure you don’t have any of the same passwords for your things anywhere.

IVAN: Exactly.

CHARLENE: Well, but if that is your baby step, then how do you recommend people saving those somewhere?

IVAN: The first step is to get a password manager and then start changing all the passwords that you have. Perhaps the ones that are most vulnerable first, like if you happen to put them on a post-it note or maybe a Google Doc.

CHARLENE: Based on that though it sounds like the post-its is a hell of a lot safer. You know how long it’ll be before we all have our own hardware personal password generator that’s just tucked into something? You know, like you said, on a keychain. Most of the time it’s just corporations that pass those out. I’ve done gigs where they’ve given me the random password generator keychain thing. Wonder how long it’ll be before we all have those?

IVAN: I think we can have all those. We can do that now. You have a device in your pocket. You install 1Password and boom you have that. We’re living in the future Charlene.

CHARLENE: I missed that part, I’m sorry. So, 1Password does do that. Those random password generators, those would generate something new like every half hour. These don’t do that though right? Or do they?

IVAN: Well, they kind of do but that’s not what they’re called. So, 1Password is the name of the app and there’s also LastPass. Those are different. I just want to make sure we get those names right. But the 1Password app and service you install on your computer and also on your phone. In both locations you can use the tool, the app, to generate a password, a 64 character password, a 32 character password, and then you would save it with your username in the app and so the app would store that newly generated random password and then you would physically have to go to the website where you now created this new password for and log into the service and go to the change password screen and then change the password to that randomly generated password that you just created in the app. But then there’s also the ability for the password generator to generate this token that Tess was talking about earlier that changes every 30 seconds, that you can use in the multifactor login process. This is that 6-digit character. In the past that used to be on a keychain. It still exists on keychains, but your password manager can do that for you now as well. I would actually recommend not doing that. My feeling for having that token in the same place as your password manager is actually that they shouldn’t be in the same location, because very often to access some service you need that extra token and if your password manager has been compromised and your token is being generated by your password manager, then there’s no use having that multifactor at all, because they can just get the token out of the password manager. So my recommendation is to actually store the token generation in a different tool. I would likely recommend Authy. You can also use Google’s token manager. I think it’s called Google…

TESS: Google Authenticator.

IVAN: Google Authenticator, that’s right. Yes.

TESS: There’s also YubiKey which is a physical solution.

CHARLENE: What is it?

TESS: YubiKey.

IVAN: Do we think we have a series of things you know that you’re going to do immediately after we get off the recording of this Podcast Charlene?

CHARLENE: Yes. Number one is I’m going to go to the Google Doc and since deleting it does nothing, I’m going to make a list of all the passwords that I had in there and go and immediately change them and then I’m going to go get 1Password and do everything that you said in the show to get all my passwords completely random so I’m not tempted to put them in a Google Doc.

IVAN: I love it, and you know what? We’re going to make it easy for you with 1Password. We’re just going to add you as a user to the TEN7 account because you should have access to some of the credentials we have, some of the projects that you’re working on and you can get started like that. That’ll hopefully be even easier.

CHARLENE: You’ve told me what I should do with my personal passwords, but we need to talk about what people should do in a business setting. Can I use my same personal password for my work passwords? Or should there be a separate app for that? 

TESS: There’s a few different things. My personal preference is to always have a strict separation between what are your personal passwords in one application and what are the business ones should be in another application. If you’re a freelancer this gets a little muddy, because they can be the same in some cases. But if you are working for another company as a full-time employee, it’s best if they mandate their password manager that’s attached to your business email account, and then you have one that’s separate that’s yours. The reason why is one, it’s practical because if you quit jobs or change jobs or something else happens, you still have your passwords, you don’t need to change anything. On the other hand, some businesses can actually have administrative access to personal vaults and that means they can decrypt them. So you have to be really careful about that sort of thing as well.

CHARLENE: Can you explain vaults? Ivan mentioned that before. What does that mean?

TESS: That’s what 1Password calls what’s effectively a folder. It’s a means of organizing the password content. So, if you imagine that each unique piece of information can be a password inside of a password manager, those usually get organized into either a series of labels or a series of folders, or 1Password calls them vaults, because they want to be fancy. It’s still the same thing, it’s a folder.

CHARLENE: So does that also mean as a company they will set up a vault for each client, so then as a new person comes on that vault is then just shared with the new employee? Like, these are all the passwords for these clients things?

TESS: It depends on the scale of the organization I think. That gets into a completely different human management question, because if you have lots and lots and lots of passwords, you might only give access to a department. They might have their own standard vault. If they work with a lot of clients that business might create multiple vaults per client. It depends. But an important thing to note is that these vaults, these folders, also tend to be the unit of sharing in password managers. So what happens usually is, if you have a client which needs to send you a password for a system you don’t want them to email it to you, and you don’t want them to say it over the phone and then say “was that an asterisk or not?” five or six times. Instead, it’s better to share them access to a particular vault/folder and then they can input the data directly, and then they only have a small piece of access in order to do what they need to do, while you have control over everything that’s in that vault/folder, as well as everything else that’s in your account.

IVAN: Great. Charlene, thank you so much for allowing us to give you a hard time about passwords.

CHARLENE: It’s well deserved, sounds like.

IVAN: You’ve been listening to the TEN7 Podcast. Find us online at ten7.com/podcast. And if you have a second, do send us a message, we love hearing from you. Our email address is podcast@ten7.com. And keep an eye out for the next episode of this Blueprint series. Until then, this is Ivan Stegic. Thanks for listening.

Ivan Stegic

Founder and President
 
Image
Ivan Stegic

Words that describe Ivan: Relentlessly optimistic. Kind. Equally concerned with client and employee happiness. Bowtie lover. Physicist. Ethical. Lighthearted and cheerful. Finds joy in the technical stuff. Inspiring. Loyal. Hires smart, curious and kind employees who want to create more good in the world. His favorite things right now: the TEN7 podcast and becoming the next Björn Borg.

Tess Flynn

DevOps Engineer
 
Image
Tess Flynn

Tess is TEN7’s Swiss Army knife. She’s an ever-present force in Drupal and a frequent speaker at events, where she's known for comic book-style illustrations in her presentations. Her superpower is problem-solving—she’s always finding ways to improve a site’s infrastructure and efficiency, and she has the rare ability to look holistically at a situation through human requirements, not just those of technology and business. She also loves sleuthing out the source of hacks, especially the ugly and ingenious ones. Tess has encyclopedic knowledge of horror/sci-fi ranging from schlocky and campy to highbrow. She loves Star Trek, where the engineers use their skills to help people.