No, this isn’t another article about how to create a strong password, although I do recommend the Keyser Söze approach. Simply look around the room, find an object and make that your password with one capital letter, a number, and a symbol–but I digress. What I’m talking about are the tools we use at the agency that enable clients to securely share credentials with us and how we store them once they arrive.
SSL is your friend
SSL (Secure Socket Layer) has been around a long time and basic certificates are now widely available for free. SSL “certs” are what encrypt your information when you do online banking but they won’t give you minty fresh breath (please excuse the Dad joke). At 2:45Tech, we have set up an encrypted form where the data is scrambled before it is sent to our server. Easy enough, right? Here’s the part some people get wrong. Make sure the admin email that alerts you to the form submission doesn’t contain any of the credentials. Email, the least secure technology of on Earth, is not where you want this information floating around. What we do is pass the client’s name in the admin email along with a secure link back to the server. This way, you have 360-degree encryption making as hard to hack as your bank account.
I have my client’s credentials. Now what?
Once we receive client credentials through our encrypted form we immediately retrieve it and put it in our password vault. We use 1Password and have for several years. Each client gets a vault and access is managed on a need to know basis with our staff. Once we squirrel the info away we delete the entry in the WordPress/Gravity Forms database so curious admins won’t see them later. Gotta tie up those loose ends, ya know?
I didn’t intend this article to be a software review but I will say we narrowed our decision down to 1Password and LastPass. I’m sure there are many sophisticated solutions out there now but at the time these were the contenders. We chose 1Password because we liked the user interface more and the data lived locally while syncing to other devices via Dropbox. LastPass was cloud-based only, which made us nervous at the time but the enterprise version of 1Password works that way now yet still lets you keep a local version of your data.
If you are a 2:45Tech client, rest assured that the sharing and storage of your highly sensitive credentials are in secure hands. Now, stop using spreadsheets and post-it notes and get yourself a proper password manager and I promise you will sleep a little bit easier.