I talk a lot on Twitter about my password manager. I use 1Password and love it. It auto-generates random passwords for me of any length I choose, auto-fills web forms for me, and remembers both the web page and the hideously complex password I have chosen. It automatically synchronizes across all my computers so I am never without all my current passwords. The file is encrypted with AES-128 and they handle encryption keys securely, so I believe the product is pretty secure. Now, rather than having a couple good passwords for the handful of sites I care about – and a single generic password for the 300 sites I don’t – every single one of my web accounts has its own strong password. Or I should say as strong a password as each site allows. I always worried about having the application crash and losing every single one of my passwords. Irrational fear. I back it up like any other application. In hindsight I can’t figure out what took me so long to change over.

Another irrational aspect of passwords dawned on me today: we automate password administration and enforcement, but require users perform a manual process. Why?

There are some basic problems with people and passwords:

  • We don’t want random passwords – too hard to remember.
  • We don’t want to choose long passwords – too hard to remember.
  • We don’t like typing long passwords. Frankly they are a pain in the ass to type in, and a triple pain in the ass if you mistype the first attempt.
  • We don’t want to rotate passwords – it means I have to learn three of four long passwords just for work.
  • We hate calling IT to reset passwords – because that takes more time out of our day. And the guy in IT treats us like dorks every time we call.

Ultimately this is all because we suck at remembering passwords. Worse, we don’t care about the passwords – they are a necessary evil. Passwords are something we have to do. So why not automate the whole mess – especially for corporate IT users?

Today we centralize password policies and automate enforcement of those policies (length, character requirements, expiration, etc.). There is no reason we can’t automate the client side as well, but enterprise password managers are rare as hen’s teeth. For corporate environments we could even embed advanced capabilities with virtual RSA tokens, access tokens for shared services without shared credentials, or even SAML capabilities. And we could allow each user to maintain individual passwords, with separate password repositories in case a single user account is compromised. I acknowledge that it’s conjecture on my part, but I am willing to bet that automation will reduce user error and ultimately IT’s password management burden. I am not aware of a password management product that can fully support enterprises today – but several are not far off.

I think it’s time we see more password managers in corporate environments