As an independent consultant, I value my customers’ security, particularly around their data.
Why use a Password Manager?
I love data and I believe in protecting it. I believe in trying to fix the people and process aspects of security. So that means, I need to think about how to give my customers access to artefacts safely.
Sometimes I set up trial solutions on Azure, such as Azure Virtual Machines, for my customers. I do believe that Azure is secure. However, we know that people and processes are often to blame for cybersecurity breaches. Since I’m dealing with customers and their data, how can I best get their username and passwords to them if I am not with them in real life? This applies to all sorts of technologies: Power BI accounts if I’m setting up trials, logins for Azure SQL Database along with the database server details and so on.
I started to look at Password Managers so I could share details securely with customers. I had a look at two main Password Managers: LogMeOnce and LastPass.
TL;DR I chose LastPass because LogMeOnce had niggles which bugged me, and LastPass was a cleaner, nicer interface that felt more professional for my customers. It boiled down to three things:
- Do you want to have a browser extension?
- Conflict between LogmeOnce and Pinterest Add-ins for Chrome
- Sharing Passwords was a breeze
In terms of security, they don’t differ that much in terms of their integrity.
However, people don’t always use software for it’s integrity; they use things that they like. Although we are moving towards being data-driven, we are still driven by our gut in a lot of ways.
Do you want to have a browser extension?
LogMeIn insists on you installing a browser extension so you can log in to get to your passwords. LastPass does not require a browser extension, and, for customers, this is much easier. Whether you like it or not, installing a browser extension is hassle. It’s extra steps that prevent you from getting to what you need to do, and users do not like extra steps. I also noted that LogMeIn didn’t seem to work when it launched itself from within the browser. If I logged in from the extension at the toolbar, it was ok. however, if I tried to log in as an action in response to it’s challenge ‘Do you want to save this password?’ This didn’t seem to work for me; it just hanged. I suspect that this may be due to a conflict with another add-in, but I never got to the bottom of it. It just meant I had to log in to the browser extension and redo the password saving, which felt very manual and added extra steps to my day.
Can I change those passwords automagically for you, Madam?
LastPass Auto Changer is amazing. LastPass will automatically log into your sites and change your passwords for you. Since I had a bazillion sites, it took some time to do it but it worked perfectly. Props to the person who thought of it. Awesome job. It’s like a password butler that takes care of this job for you. I’ve scheduled a note in my diary to do this activity once a month so I can keep on top of password management.
Conflict between LogmeOnce and Pinterest Add-ins for Chrome
I use Pinterest a lot. I love it. I use it to save technical diagrams and infographics about topics I’m interested in; everything from Big Data right through to soft furnishings from my home. This annoyance occurs in Chrome, when you have Pinterest installed as a Chrome Add-in. You already need the LogMeOnce add-in, so this means I have both add-ins.
When you go to the LogMeOnce website, it whacks up a great big picture advertising it’s services. Pinterest cheerfully recognizes that it is a big picture, and it offers to save it. Unfortunately, the Pinterest ‘button’ to pin the page is right over the ‘Close’ ‘x’ button for LogMeOnce so you can’t close the LogMeOnce picture advert/challenge- can you believe it? The LogmeOnce button is a tiny button and it is only in one place, so it gets obliterated by the Pinterest button.
God knows how many times I’ve saved the LogMeOnce advert to Pinterest, just to get rid of the Pinterest button. Usually I have to wait until Pinterest takes the hint and stops trying to save the page. It’s only then that I can get around to the LogMeOnce page and I can close the advert, and FINALLY I get to log in.
I’m too busy for all that.
Sharing Passwords was a breeze
I can share Passwords with both LogMeOnce and LastPass. However, the LogMeOnce niggles meant that I didn’t want to try to get customers to use it as well. LogMeOnce doesn’t work with Edge but LastPass was fine with it. It means I can give the customers a shared password, and they can log into LastPass however they like, and without installing an add-in.
I thought LogMeOnce was fine but these user niggles put me off it. I guess, at heart, we are all just naive users who want to get things done as quickly as possible and LastPass won here because it offered simplicity, whilst seeming to balance my ‘busy-ness’ with an ability to keep my passwords secure at the same time.
I am not a security expert but I do have to think about data security. What do you think? Do you think I made the right choice? What would you recommend?
3 thoughts on “Using Password Managers as a Consultant”
From a security standpoint Jen, LogMeOnce is a joke. For all their “photologin”, “passwordless”, “auto 2fa” nonsense, anyone can login to anyone’s account, without needing a password.
LastPass is OK, though their understanding of cryptography leaves a lot to be desired. Personally, I use 1Password. The entire product has a solid whitepaper, allowing anyone to research & effectively audit their technique. By comparison, LastPass feels like an old, antiquated PW manager.
Thanks Paul! I wrote this blog so I can learn from others, so thank you for sharing your expertise. I’ll take a look at 1password, too.
When I finally caved-in and decided to use a password manager, I went with Bitwarden. An Open source project, ability to run as an add-in to your web browser and IOS/Android app and desktop applications, you can host your own server or use their own one. You can create shared/team passwords, generate passwords in the app, 2FA is coming to the enterprise solution soon.
It’s just nice, lightweight and works. It even has a button to test if your password has been found among released data breaches where passwords were exposed