Deploying a password manager product to an entire company?

DarienA

I'm thinking about suggesting that we deploy the password manager product that some of the IT teams use to the entire company.

My reasoning is that we beat on employees to create complex passwords and then give them multiple services they need to access onprem, web, etc. and not all of those services support SSO so you have separate accounts.

So we give them this security requirement but then we don't give them anything to support them.

Has anyone here deployed a Password Manager company-wide? Curious to know how that went.

DustinB3403

@DarienA Yes and no. We have, but not every employee has a need for it. We use LastPass, simple effective and free for 90% of our users.

DarienA

@DustinB3403 said in Deploying a password manager product to an entire company?:

@DarienA Yes and no. We have, but not every employee has a need for it. We use LastPass, simple effective and free for 90% of our users.

Are you saying you that you have your users setup their own free accounts or that you are using say the enterprise version and the cost is absorbed by your company for all the user accounts?

DustinB3403

It goes about as smooth as you'd expect, just setup your recovery methods and provide an overarching training on how to use whatever tool you are rolling out.

DustinB3403

@DarienA said in Deploying a password manager product to an entire company?:

@DustinB3403 said in Deploying a password manager product to an entire company?:

@DarienA Yes and no. We have, but not every employee has a need for it. We use LastPass, simple effective and free for 90% of our users.

Are you saying you that you have your users setup their own free accounts or that you are using say the enterprise version and the cost is absorbed by your company for all the user accounts?

We have the bulk setup their own free account using their business email address, then we invite them into whatever shared folders they need access too.

DarienA

@DustinB3403 said in Deploying a password manager product to an entire company?:

It goes about as smooth as you'd expect, just setup your recovery methods and provide an overarching training on how to use whatever tool you are rolling out.

It'll be lastpass I've used it personally for years and we rolled out the Enterprise version to some of the IT folks a bit back.

DarienA

@DustinB3403 said in Deploying a password manager product to an entire company?:

@DarienA said in Deploying a password manager product to an entire company?:

@DustinB3403 said in Deploying a password manager product to an entire company?:

@DarienA Yes and no. We have, but not every employee has a need for it. We use LastPass, simple effective and free for 90% of our users.

Are you saying you that you have your users setup their own free accounts or that you are using say the enterprise version and the cost is absorbed by your company for all the user accounts?

We have the bulk setup their own free account using their business email address, then we invite them into whatever shared folders they need access too.

By utilizing the free version though you lose the ability to force certain requirements and rules by policy though since each free account is technically unmanaged correct? I've found many of those policies to be very helpful.

DustinB3403

Without knowing your exact use case, I would just have people signup as required. Unless you're paying for each and every employee.

In any case, you're going to have to hand hold every employee, walk them through the OTP setup, recovery questions, cellphone details as I don't think there is any way you can do this for them.

DustinB3403

@DarienA said in Deploying a password manager product to an entire company?:

@DustinB3403 said in Deploying a password manager product to an entire company?:

@DarienA said in Deploying a password manager product to an entire company?:

@DustinB3403 said in Deploying a password manager product to an entire company?:

@DarienA Yes and no. We have, but not every employee has a need for it. We use LastPass, simple effective and free for 90% of our users.

Are you saying you that you have your users setup their own free accounts or that you are using say the enterprise version and the cost is absorbed by your company for all the user accounts?

We have the bulk setup their own free account using their business email address, then we invite them into whatever shared folders they need access too.

By utilizing the free version though you lose the ability to force certain requirements and rules by policy though since each free account is technically unmanaged correct? I've found many of those policies to be very helpful.

Correct, but the users who use the free accounts, aren't creating credentials in our environment. They are just accessing services we provide and need a quick and simple way to login without needing to know the username or password.

DarienA

@DustinB3403 said in Deploying a password manager product to an entire company?:

@DarienA said in Deploying a password manager product to an entire company?:

@DustinB3403 said in Deploying a password manager product to an entire company?:

@DarienA said in Deploying a password manager product to an entire company?:

@DustinB3403 said in Deploying a password manager product to an entire company?:

@DarienA Yes and no. We have, but not every employee has a need for it. We use LastPass, simple effective and free for 90% of our users.

Are you saying you that you have your users setup their own free accounts or that you are using say the enterprise version and the cost is absorbed by your company for all the user accounts?

We have the bulk setup their own free account using their business email address, then we invite them into whatever shared folders they need access too.

By utilizing the free version though you lose the ability to force certain requirements and rules by policy though since each free account is technically unmanaged correct? I've found many of those policies to be very helpful.

Correct, but the users who use the free accounts, aren't creating credentials in our environment. They are just accessing services we provide and need a quick and simple way to login without needing to know the username or password.

Understood.

DustinB3403

@DarienA said in Deploying a password manager product to an entire company?:

@DustinB3403 said in Deploying a password manager product to an entire company?:

@DarienA said in Deploying a password manager product to an entire company?:

@DustinB3403 said in Deploying a password manager product to an entire company?:

@DarienA said in Deploying a password manager product to an entire company?:

@DustinB3403 said in Deploying a password manager product to an entire company?:

@DarienA Yes and no. We have, but not every employee has a need for it. We use LastPass, simple effective and free for 90% of our users.

Are you saying you that you have your users setup their own free accounts or that you are using say the enterprise version and the cost is absorbed by your company for all the user accounts?

We have the bulk setup their own free account using their business email address, then we invite them into whatever shared folders they need access too.

By utilizing the free version though you lose the ability to force certain requirements and rules by policy though since each free account is technically unmanaged correct? I've found many of those policies to be very helpful.

Correct, but the users who use the free accounts, aren't creating credentials in our environment. They are just accessing services we provide and need a quick and simple way to login without needing to know the username or password.

Understood.

You can always provide their account a license in your corporate account so that that can add services if you needed.

Dashrender

I have started a slow rollout of this at my company. it's not going very well for multiple reasons.

1. my boss doesn't trust having all of her passwords in a password manager - she thinks it will be hacked
2. my physicians don't use the same device all the time, they move constantly. Plus they won't even log out of the EHR when they leave an area, why would they bother to log out of LP?
   3)My fraking EHR does it's password changes in a popup window that LP can't see into, so LP's password change mechanism doesn't work forcing users to change it manually, then updating the vault manually.
3. Our timeclock provider (web based) requires there pieces of information when logging in (username, password, last 4 of SSN) - LP has a very hard time reading the field names correctly and thus storing the password and SSN correctly. It normally takes me 15 mins to get that working for users (deleting the vault entry, manually updating specific fields, sometimes deleting fields and readding them, etc)
   5)LP won't fillout passwords for sites/applications inside a Citrix session
4. Not sure this is an issue anymore, but LP being installed into the browser had an adverse affect on performance in one area of our EHR, removing it and the timeout issue was gone. Found no way to tell LP to ignore the page, yet still allow LP to be used for the EHR main logon. (and not sure there was a way to completely disengage LP on any given site at all)

Now perhaps a different password manager would get around most or all of these problems.. but I haven't had time to look into it. Of course, a different password manager won't solve 1 or 2.

scottalanmiller

@Dashrender said in Deploying a password manager product to an entire company?:

my physicians don't use the same device all the time, they move constantly. Plus they won't even log out of the EHR when they leave an area, why would they bother to log out of LP?

Because, I don't know, HIPAA?

Dashrender

@scottalanmiller said in Deploying a password manager product to an entire company?:

@Dashrender said in Deploying a password manager product to an entire company?:

my physicians don't use the same device all the time, they move constantly. Plus they won't even log out of the EHR when they leave an area, why would they bother to log out of LP?

Because, I don't know, HIPAA?

Don't get me started.

scottalanmiller

@Dashrender said in Deploying a password manager product to an entire company?:

@scottalanmiller said in Deploying a password manager product to an entire company?:

@Dashrender said in Deploying a password manager product to an entire company?:

my physicians don't use the same device all the time, they move constantly. Plus they won't even log out of the EHR when they leave an area, why would they bother to log out of LP?

Because, I don't know, HIPAA?

Don't get me started.

Why does HIPAA never do audits? I'm so upset that the government made a security standard so low, and then even ruins that by have zero enforcement.

Dashrender

@Dashrender said in Deploying a password manager product to an entire company?:

@scottalanmiller said in Deploying a password manager product to an entire company?:

@Dashrender said in Deploying a password manager product to an entire company?:

my physicians don't use the same device all the time, they move constantly. Plus they won't even log out of the EHR when they leave an area, why would they bother to log out of LP?

Because, I don't know, HIPAA?

Don't get me started.

Drs who practice out and out hate HIPAA - borderline don't give a shit about your privacy... they care about having whatever whenever as easy as possible. Many of them don't see the benefit to privacy/security.

DustinB3403

@scottalanmiller said in Deploying a password manager product to an entire company?:

@Dashrender said in Deploying a password manager product to an entire company?:

my physicians don't use the same device all the time, they move constantly. Plus they won't even log out of the EHR when they leave an area, why would they bother to log out of LP?

Because, I don't know, HIPAA?

hahaha that's funny.

DarienA

@Dashrender said in Deploying a password manager product to an entire company?:

I have started a slow rollout of this at my company. it's not going very well for multiple reasons.

1. my boss doesn't trust having all of her passwords in a password manager - she thinks it will be hacked
2. my physicians don't use the same device all the time, they move constantly. Plus they won't even log out of the EHR when they leave an area, why would they bother to log out of LP?
   3)My fraking EHR does it's password changes in a popup window that LP can't see into, so LP's password change mechanism doesn't work forcing users to change it manually, then updating the vault manually.
3. Our timeclock provider (web based) requires there pieces of information when logging in (username, password, last 4 of SSN) - LP has a very hard time reading the field names correctly and thus storing the password and SSN correctly. It normally takes me 15 mins to get that working for users (deleting the vault entry, manually updating specific fields, sometimes deleting fields and readding them, etc)
   5)LP won't fillout passwords for sites/applications inside a Citrix session
4. Not sure this is an issue anymore, but LP being installed into the browser had an adverse affect on performance in one area of our EHR, removing it and the timeout issue was gone. Found no way to tell LP to ignore the page, yet still allow LP to be used for the EHR main logon. (and not sure there was a way to completely disengage LP on any given site at all)

Now perhaps a different password manager would get around most or all of these problems.. but I haven't had time to look into it. Of course, a different password manager won't solve 1 or 2.

I feel your struggle. At least for 1 LP offers some nice plan english security descriptions of their service and for 2 you can force only be logged onto one device at a time as rule (I think there's a timeout setting as well).

scotth

@Dashrender said in Deploying a password manager product to an entire company?:

@Dashrender said in Deploying a password manager product to an entire company?:

@scottalanmiller said in Deploying a password manager product to an entire company?:

@Dashrender said in Deploying a password manager product to an entire company?:

my physicians don't use the same device all the time, they move constantly. Plus they won't even log out of the EHR when they leave an area, why would they bother to log out of LP?

Because, I don't know, HIPAA?

Don't get me started.

Drs who practice out and out hate HIPAA - borderline don't give a shit about your privacy... they care about having whatever whenever as easy as possible. Many of them don't see the benefit to privacy/security.

I did a camera installation for a doctor purchased from CostCo - maybe $350 because HIPAA. Checked his office PC's. All running XP, transacting over the internet after 7 had been out for over 5 years. Got him a quote for all 8 workstations updated to 7 and a mini server with backups for around $8k. He turned red, choked and almost died on the spot.

Dashrender

@DarienA said in Deploying a password manager product to an entire company?:

@Dashrender said in Deploying a password manager product to an entire company?:

I have started a slow rollout of this at my company. it's not going very well for multiple reasons.

1. my boss doesn't trust having all of her passwords in a password manager - she thinks it will be hacked
2. my physicians don't use the same device all the time, they move constantly. Plus they won't even log out of the EHR when they leave an area, why would they bother to log out of LP?
   3)My fraking EHR does it's password changes in a popup window that LP can't see into, so LP's password change mechanism doesn't work forcing users to change it manually, then updating the vault manually.
3. Our timeclock provider (web based) requires there pieces of information when logging in (username, password, last 4 of SSN) - LP has a very hard time reading the field names correctly and thus storing the password and SSN correctly. It normally takes me 15 mins to get that working for users (deleting the vault entry, manually updating specific fields, sometimes deleting fields and readding them, etc)
   5)LP won't fillout passwords for sites/applications inside a Citrix session
4. Not sure this is an issue anymore, but LP being installed into the browser had an adverse affect on performance in one area of our EHR, removing it and the timeout issue was gone. Found no way to tell LP to ignore the page, yet still allow LP to be used for the EHR main logon. (and not sure there was a way to completely disengage LP on any given site at all)

Now perhaps a different password manager would get around most or all of these problems.. but I haven't had time to look into it. Of course, a different password manager won't solve 1 or 2.

I feel your struggle. At least for 1 LP offers some nice plan english security descriptions of their service and for 2 you can force only be logged onto one device at a time as rule (I think there's a timeout setting as well).

Because my manager/boss doesn't like it - and the doctors will refuse to use it due to using literally dozens of computers, many of which we do not manage, so LP won't be on them - there is no way management/the board would approve purchasing LP Enterprise for staff.