Big News: FounderDating is joining OneVest to build the largest community for entrepreneurs. Details here
Latest Notifications
You have no recent recommendations.
Name
Title
 
MiniBio
FOLLOW
Title
 Followers
FOLLOW TOPIC

Question goes here

1,300 Followers

  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur
  • Name
    Entrepreneur

Best practices for password management in a small company

I was wondering what software or strategy people use to manage a list of accounts and passwords amongst a small team. Right now, we're using a Google spreadsheet, which is pretty unscalable and insecure. I am considering switching to Common Key (http://commonkey.com/) or PassPack (http://passpack.com), but perhaps other people have a better way of managing this information that does not rely on browser extensions.

In particular, any strategy that would allow us to store passwords for internal servers as well as our cloud accounts would be helpful.


Thanks,

Kev

11 Replies

Michael Hanson
0
0
Michael Hanson Entrepreneur
Entrepreneur in Residence at Greylock Partners
This is a hard problem, Kevin, with no easy answers. But here's a couple thoughts:

1. Whenever possible, don't use passwords. If you can secure your internal and cloud servers using private keys that are physically distributed to laptops, do so. This should be how you handle SSH logins to terminal-based services, for example.

2. Whenever possible, use role- and group-based authentication schemes instead of having common passwords. If your services do not support this, ask for it (professional-grade services should).

3. Make certain your password-sharing scheme matches your actual trust boundaries. If role-based authentication really isn't available, create accounts that represent the roles and distribute trust for them. For example, if there are three people with the power to deploy, then create an account called "deploy" and give three people access to it. Consider creating email addresses for each of these roles and then using server-side aliasing to push it out to everybody that supports that role. (e.g. [removed to protect privacy])

4. Make sure you have a fallback plan if you're compromised or you need to revoke access from an employee or contractor.

5. Consider adopting a mnemonic-pattern based approach - say, a ten-word sentence that you all memorize and extend with an unambiguous pattern derived from the name of the service provider.

Remember that your passwords are there to protect you from two different threats: external bad guys seeking to get at your data, and internal misuse (whether accidental or deliberate). Make sure they are strong enough for the former, and restricted enough for the latter. Don't forget the importance of occasionally auditing usage, just so you keep an eye on things.

Interested to hear what other people recommend as well.

-Mike

Ryan Jackson
1
0
Ryan Jackson Entrepreneur • Advisor
Founder at Paid
We used Meldium (https://www.meldium.com), and I'd be happy to make an introduction if you'd like to speak to the founders.
Thomas Knoll
0
0
Thomas Knoll Entrepreneur • Advisor
Executive Advisor & Business Coach. I help entrepreneurs survive and thrive at building their teams and businesses.
FWIW, I *highly* recommend:http://www.onelogin.com/
Juston Brommel
0
0
Juston Brommel Entrepreneur • Advisor
Growth Strategist & Advisor to CEOs
I've used passpack in my last few companies. We setup one paid account that key staff have access to. We share from this central account to each users individual account. Works nicely for sharing with third parties. A bit cumbersome to sign up, but solid otherwise. I am eager to hear everyone's experience with commonkey. What are the benefits/differences from passpack? Best, Juston
Renee DiResta
0
0
Renee DiResta Entrepreneur • Advisor
Vice President of Business Development at Haven
I'm curious - why the "no browser extension" caveat? I've seen some fantastic options that manage that way. I use one personally, and it's relatively effortless.
Rand Owens
1
0
Rand Owens Entrepreneur
CoFounder Spartups Accelerator
Just get 1password. You will be happy you did. WHen connected to a team, it holds and stores all passwords. Although, it is a plugin/extension too...
Kevin Matthews
0
0
Kevin Matthews Entrepreneur
Director of Engineering at Action Factory
My hesitancy on browser extensions isn't a deal breaker. I just don't like the way I will not know my own passwords if I end up using a computer that doesn't have the extension installed. Thanks for all the great suggestions. This has been a very helpful discussion. Kev
Panos Kougiouris
0
0
Panos Kougiouris Entrepreneur • Advisor
Founder at NeatSchool
Rand, what do you mean by this? I use 1password on the mac and the iPhone but not in a "Team environment" is that a feature? --Panos
Rand Owens
0
0
Rand Owens Entrepreneur
CoFounder Spartups Accelerator
Panos

If you use dropbox all of your passwords you can aggregate all passwords and keep them all sync'd. Problem is, it syncs all passwords so even those that you don't want others to have they will have. If you have some programming skills you can develop around this...
Dan Hopwood
0
0
Dan Hopwood Entrepreneur
Something new (travel space) – currently raising a pre-seed & looking for a Web flavoured CTO. Previously CPO at MSTY.
+1 for 1Password, no need to use anything else
Join FounderDating to participate in the discussion
Nothing gets posted to LinkedIn and your information will not be shared.

Just a few more details please.

DO: Start a discussion, share a resource, or ask a question related to entrepreneurship.
DON'T: Post about prohibited topics such as recruiting, cofounder wanted, check out my product
or feedback on the FD site (you can send this to us directly info@founderdating.com).
See the Community Code of Conduct for more details.

Title

Give your question or discussion topic a great title, make it catchy and succinct.

Details

Make sure what you're about to say is specific and relevant - you'll get better responses.

Topics

Tag your discussion so you get more relevant responses.

Question goes here

1,300 Followers

  • Name
    Details
  • Name
    Details
  • Name
    Details
  • Name
    Details
  • Name
    Details
  • Name
    Details
  • Name
    Details
  • Name
    Details
Know someone who should answer this question? Enter their email below
Stay current and follow these discussion topics?