As I recently posted the talk by Tim Nash really got me thinking about security in a big way and I have been looking at ways to improve the security of all the sites my company maintains.
Every site is already kept up to date with weekly update cycles, backed up at least once every 24 hours to at least 2 different locations and scanned daily for vulnerabilities. Pretty much covered from that point of view.
So I started to look at everything else starting with the most obvious – passwords. When carrying out maintenance or logging into client sites I just click the WP Admin button in ManageWP (our preferred control panel) and that logs me in automatically so I wasn’t 100% sure of the password that was being used.
This had to change…..
I wanted to make sure that every site had a unique, strong password and that the password was stored somewhere safe – so not a spreadsheet on a computer in the office. I opted for 1Password as the password manager that would be used within the company. I choose it as I could create different vaults for different things, have a private vault that only I could see and I could set different permissions for different vaults for different people. This means that passwords for the accounts package and payroll are only available to myself and the accountant and other passwords could be shared as required.
The other great feature of 1Password is the ‘Watch Tower’ as you can see from the screen shot below it shows some key stats, namely:
- Compromised Passwords
- Vulnerable Passwords
- Weak Passwords
- Re-used Passwords
At a glance I can now check that all the passwords we are using are secure and not compromised or vulnerable.
How we implemented it
After setting up the account, I chose a Team Subscription and setting up the users I created a new Vault to store all the user names and password. I then setup sharing permissions for those that needed it – namely me and Theo as he also works on the Care Plans.
Between us we set about changing all the passwords, generating a new password with 1Password and storing the password in the Vault:
Although we still login via ManageWP I am 100% confident, thanks to the WatchTower feature that no two passwords are the same for any customer website.
I have also taken this one stage further and reset all the passwords on all the services, servers and web logins I use, not just company accounts but personal too.
You can find out more about 1Password on their website https://1password.com/.
