How do you handle passwords when an employee leaves the organization?

Posted by Posted on by
1

This question may sound trivial. Before discussing further, let me narrate an incident:

About three years ago, on March 17, 2010, at Austin, Texas hundreds of cars purchased from a particular car dealer went honking uncontrollably. Still worse, the owners were not able to start the cars as the ignition system had been disabled. Car owners had no clue as to what was happening. They had no other option but to disconnect the battery.

cars-honking3Following hundreds of such complaints and anxious moments, the car dealer carried out an investigation with the help of police and found that a sacked employee had gained unauthorized access to an internal IT application and turned on the web-based vehicle-immobilization system normally used to draw the attention of the customers delinquent in their auto payments. The techie had apparently taken revenge on the dealer for laying him off.

Soon after sacking him, the car dealer had promptly terminated all access, including the one to the vehicle-immobilization IT application. But, he had known the credentials of a colleague, using which he gained unauthorized access to the application.

Now, coming back to the question: How do you handle passwords when an employee leaves the organization? Does your organization have an effective ‘de-provisioning’ process in place to ensure that the former colleague will not continue to access your applications or data?

The saying ‘out of sight, out of mind’ might not hold good in all cases. Most of the employees leaving the organization will forget their former employer and start concentrating on the happenings in the new organization. Rarely, a disgruntled ex-colleague or a sacked employee or a terminated contractor or a greedy techie might turn bad and you will have to encounter problems.

The Austin cars honking incident is a classic example for the kind of insider threats organizations are prone to. A single disgruntled employee leaving the organization can wreak havoc to the very business or cause huge financial loss, if user de-provisioning is not handled properly. De-provisioning includes not just terminating access to key IT systems and applications, but also resetting the passwords.

Conversely, certain online accounts might be ‘owned’ by the person leaving the organization. If he fails to ‘hand over’ or ‘reveal’ the account details to someone else, the account will practically become an orphan posing a different kind of problem.

Tracing Access – The Key Challenge

When an employee leaves the organization,

  • it is essential to carry out a careful review of the access permissions granted to him/her
  • access has to be terminated and passwords must be reset
  • passwords owned by the person should be transferred to someone else
  • the password sharing scenario has to be reviewed. Users often tend to reveal passwords to their colleagues for some reason or other. The most common reason for such an ‘unofficial share’ is to cater to an emergency on one’s absence – Manager revealing the password of an application to a senior member when he has gone on vacation.

The key challenge here is finding out the list of all applications and resources accessed by the person leaving the organization. With the proliferation of online applications, it is indeed a daunting task to trace all the applications to which the person possessed access. Tracing the ‘shared passwords’ is another tricky scenario.

If you can’t trace access, the safest option is to change the passwords of all applications, sites and resources. Needless to say, this is cumbersome, arduous and time-consuming.

Centralized Password Repository – The Ideal Solution

The ideal solution to tackle this problem is establishing and maintaining a centralized password repository using a Password Manager. You can keep all your logins in the centralized vault and grant access to employees selectively based on job roles/responsibilities. By looking at the dashboard, you will know ‘who’ is having access to ‘what’ applications and accounts. When an employee leaves the organization, within minutes you can take a report on the applications accessed by him/her and change the passwords of those sites or applications alone. You can also overcome the sharing-related issues by using a Password Manager. In addition, you may even restrict the passwords from being shown in plain-text to the users while sharing passwords with them. The users will just be allowed to launch a direct connection to the site/application without viewing the password.

If you are wondering which password manager to use, take a look at Zoho Vault, an online password manager that serves as the centralized repository for all your passwords. It helps you securely store, share and manage your passwords and other sensitive data and access them from anywhere. Try Zoho Vault, now!

Security breaches and password reuse

Posted by Posted on by
0

How many times in the recent past did you receive advisories asking you to reset the passwords of your online accounts? 

  • Just a couple of weeks ago, MOZ.com, the popular internet marketing software advised all its customers to reset their MOZ account passwords, because the encrypted portion of some of the member passwords were made public for a brief time.
  • About a month back, online daily deal company LivingSocial Inc. alerted its 50 million users to reset their account passwords following a cyber-attack on their computer systems that resulted in unauthorized access to some customer data from their servers.
  • On March 2, 2013, Evernote revealed that hackers had gained access to their network and been able to access user information, including usernames, email addresses, and hashed passwords. About 50 million users of Evernote were asked to reset their passwords.
  • Nearly a year ago, over 6.46 million hashed passwords were reportedly stolen from LinkedIn. Following that, LinkedIn asked the affected users to reset their passwords.
  • During the beginning of 2012, cyber-criminals had apparently gained access to the internal network and systems of the popular online shoe and apparel shop Zappos through one of their servers in Kentucky. Zappos suspected unauthorized access to its customer information and asked customers to reset their passwords.

These are just a few prominent samples. The list will actually fill volumes.

Resetting the password in the affected site alone may not be sufficient!

password-reuse

When you receive advisories like the ones mentioned above, you would promptly change the password in that site and feel secure. But, the harsh truth is that passwords and other sensitive data exposed in a single site could potentially affect your entire online life. This is because of the simple fact that most of us tend to use the same password on all sites and applications. So, the hacker who succeeds in cracking your password, actually gets the ‘master key’ to access all your accounts.

Just consider these scenarios:

  • An employee has used the same password for his social media accounts as well as work email and VPN. Data expose at just one site could invite hackers to your organization’s doorstep!
  • You are using the same password for your social media account and for online financial accounts. Password expose at one place could potentially drain your account..

So, when security incidents happen at one of the places, you should essentially reset the passwords of all other online accounts too. But, before you could do that, you should have the list of all online applications in which you own an account!

There is no magic wand: Use a unique password for every site

It is always prudent to have unique passwords for every website and application and supply it ONLY on that site/application. When there is news of password expose or hacks, you can just change the password for that site/app alone. Frequently changing passwords as a habit is also highly recommended.

But, here comes the problem: You will have to remember multiple passwords – sometimes in the order of tens or even hundreds. It is quite likely that you will forget passwords and at the most needed occasion, you will struggle logging in, resulting in password fatigue.

The way out: Use a password manager

Just like you have an email account, consider using a password manager too. In order to combat cyber-threats, proper password management should ideally become a ‘way of life’. Password Managers help securely store all your logins and passwords. In addition, you will get an option to launch a direct connection to the websites / applications from the password vault’s GUI itself. Saving you even the ‘Copy & Paste’ task, logging in is just a click away. Once you deploy a Password Manager, you can say goodbye to password fatigue and security lapses.

And, Zoho offers Zoho Vault, an online password manager, which solves all your password management problems. Try Zoho Vault!

Introducing Zoho Vault, Online Password Manager for Teams

Posted by Posted on by
6

While the excitement over the announcement of Zoho Pulse, the social network for businesses is fresh in the air, here comes yet another announcement. We are glad to introduce Zoho Vault, an easy-to-use online password manager for teams and businesses.

Same password everywhere is a potential security threat

With a variety of online applications occupying every aspect of our lives, we cannot get rid of passwords. Human memory has its obvious limitations and it is a tough task to remember even a handful of passwords. This naturally forces us to coin an easy-to-remember password and use the same everywhere  - social media, banking, brokerage and other business accounts. Password reuse is a potential security threat. If the password gets exposed in one of the sites, in all probability, hackers would be able to easily gain access to all your other accounts too. Here comes the big question: How do we use unique, strong passwords without worrying about remembering them?

Your former colleague could still have access to your accounts

The case with business establishments are still more complex. With the proliferation of password protected online accounts and IT assets, businesses are drowning in a pile of passwords. The sensitive business passwords are mostly stored in volatile sources like Excel spreadsheets, printouts and text documents; insecurely shared among work groups without relevant protection; passwords are reused across sites and applications and still worse, weak and easy-to-remember passwords are often assigned. There is absolutely no trace on ‘who’ is accessing ‘what’ and a former employee could still be accessing your accounts. Obviously, this haphazard style of password management leaves the organizations open to security attacks and identity thefts.

Zoho Vault solves your password problems

Zoho Vault helps you securely store all your passwords, online credentials, financial records and other sensitive information in a centralized repository, generate strong, unique passwords, organize them for easy access and management and also safely share them among work groups. It solves all the problems related to storing, sharing and managing the passwords.

zoho-vault

The market is flooded with password managers – personal password managers on the one end and enterprise solutions on the other end of the spectrum. While the personal password managers fail to cater to the specific needs of businesses, the enterprise solutions prove to be too complex and expensive. Zoho Vault bridges this crucial gap by offering a feature-rich, easy-to-use, highly secure and affordable online password management solution, which can be put to production within a few minutes.

Highlights of Zoho Vault

Safe, secure and offers complete data privacy

Passwords are encrypted with the strongest known encryption standard AES-256. The encryption key is entered by the user and it is not stored anywhere. Server holds only encrypted data and the encryption key never leaves your browser. Thus, the passwords remain completely private and only you can decrypt and view the data, not anyone else, including Zoho employees.

Secure sharing among work groups

Provision to securely share passwords among the trusted members of the organization with different access privileges. The sharing process has also been designed to follow the highest levels of information security and privacy standards. Sharing can be enabled or revoked real-time just by a single click.

Direct login to websites & applications

Once you deploy Zoho Vault, you will never be required to type or copy-paste passwords to login to websites or applications. You can launch direct connection to all websites and applications from Zoho Vault GUI, without even viewing the password.

Appealing to businesses of all types, sizes

Zoho Vault has been designed keeping in mind the requirements of businesses of all sizes and types, including SMBs, Enterprises, MSPs, Online Marketing Firms, Web Professionals, and IT teams that are struggling with shared passwords.

Tools & Utilities

  • Grouping of passwords and secrets for better access and management
  • Clear-cut ownership for all passwords; Provision to transfer ownership when someone leaves the organization
  • Provision to enforce password policies
  • Import and export passwords and secrets
  • Secure offline access mechanism for passwords and secrets
  • Comprehensive audit trails for all user actions
  • Two factor authentication for increased security
  • iPhone app for access to passwords while on the go

Absolutely FREE for personal use and affordable for businesses

Zoho Vault is available in two editions – personal and enterprise. The Personal Edition is completely free and allows having one user. The Enterprise Edition is priced at $1/user/month. Refer to the Zoho Vault pricing page to know more about the editions.

Sign up for a 15-day free trial, credit card not required

You can sign up for a fully functional 15-day trial without taking out your credit card. The trial version allows you to test with five users. Try Zoho Vault now!