7. Nov 2017
Password security in the company starts at home

An everyday situation at work: A new application requires a new user to be created and a password assigned. A few weeks later, the password expires and has to be replaced – and of course the new one has to be super cryptic. Who can remember all of this? Wouldn’t it be better to have a single password for all applications and other uses, eliminating the password dilemma …? Not in the least!

This problem is certainly widespread and I estimate that it is “normal” in at least 90% of all companies for a single password to be used for everything. “The security requirements are to blame!” is the frequent response to critical enquiries. But perhaps you should first take a good look at yourself and ask yourself “Am I a little lazy?”. I know it doesn’t sound nice, but convenient laziness is certainly often the main reason for such negligence.


Let’s move our focus from work to private life and ask ourselves how different user names and passwords are bypassed at home. The situation there is the same, but here there are probably more accounts than at work: WIFI password, streaming service, online shopping, and there is also an e-mail password, not to forget your smartphone, and so on, and so forth, there is no end to it. Let’s start a little trial, in which everyone can participate. All you need to do is write something down, paper and pen are quite sufficient for this.

Work vs. private

One column on the sheet of paper is labelled “work” and a second is labelled “private”. In the respective columns, write down each application, all access data and other accounts. This provides a quick overview, allowing you to see who the “winner” is. For me it was clearly “private”: this column didn’t just contain twice as many entries as “work”, but around six times as many – and that was only what occurred to me at the time. This little game has shown me that the amount of access data in the private environment is significantly higher than at the company.
A quick question: How do you handle your private access data? Is your motto for this also “one password for everything”? If so, it’s time to change that! Yes, this is at the expense of convenience, but do you not care whether the access data is cheaply sold on underground forums and misused? If this does indeed matter to you, you might at least by now want to think about how to handle the proliferation of passwords.

Paper and/or digital?

The choice is simple because only two methods are available for the permanent storage of access data: the classic approach with pen and paper or the digital solution with a password manager.


Offline Notebook

The paper solution has its own charm. An address book with an alphabetic index is definitely worthwhile. Someone deliberately breaking in to steal the address book, belongs to the realm of the spy films and thrillers. The biggest advantage of the paper method is clear: since nothing is digital, nothing can be digitally stolen. The biggest drawback, however, is the effort. With cryptic passwords, the fun factor is certainly lacking when you have to record 30 characters with upper / lower case letters and special characters by hand.

Digital Password Safe

And what about the digital solution? KeePass Password Safe is the most widely used password manager, and manages access data locally on your own device. I do not recommend cloud password safes, because the terms cloud and safe don’t go together. However, opinions differ. I want my data to stay with me, therefore my first choice is KeePass.

KeePass Screenshot

KeePass leaves you no excuses for using a single password for all access data in the private environment. Thanks to the integrated password generator, cryptic and long passwords are also possible. The principle is quite simple: passwords only have to be changed once everywhere, and from then on, only one password needs to be memorized, the one for KeePass! And that is not a problem – just write it down and the symbiosis between paper and digital is finished. But then please do not attach the Post-it note to your screen, something a little more imaginative is worth considering.
So far so good, or somehow not quite? KeePass secures access to your own password database with a single password. Hmm, but which should you use, you may ask yourself. My answer would be, it must definitely be one that has not yet been used, and which is stored on paper for security reasons. “And what if my computer is infected?”, might be your next question. Well … there is no such thing as complete security.

The circle is complete

Since everything at home is now clearly and simply regulated (yes, yes, unfortunately at the expense of comfort!), why not also implement the whole thing at work now? Well, you can, because KeePass does not have to be installed! There is a portable version and therefore everyone can use their own password safe at work without the need for admin access. What you learnt in a private environment is thus also easily applicable in the workplace. I can recommend this in any case, and with the “few” access data my official KeePass database looks quite empty, unlike my private.

Use IT!

Many employers probably already provide a password management solution and require you to use it – so use it! If everything is already set up, what could be easier than using existing applications and thus existing internal knowledge? So don’t be frightened, go to KeePass and start administrating your access data. Have fun!

Oliver Bonrad

is a member of the Porsche Client Server Operations team. These colleagues run the technical support for the servers and clients for approximately 320 Austrian car dealerships.