Secure Password Sharing: The Only Guide You'll Need

Weak password security still wreaks havoc among Internet citizens in 2022. A study led by Google revealed that 40% of Americans reported a data breach in 2019, half of them losing money in the process. And yet, 43% willingly shared their password with someone else: secure password sharing has yet to be mainstream.

At Onboardbase, we help developers share app secrets and credentials with an online password manager, so we have plenty to tell you about securing your passwords online. Having your passwords leaked is never a fun experience. You can lose customers and your reputation, and being targeted by a data breach means going through all sorts of time and money-consuming legal procedures: prevention is better than cure! The following article walks you through tips and tricks to never have to worry about compromised passwords in collaborative settings ever again.

What Is Secure Password Sharing

Secure password sharing is a set of security best practices to ensure your passwords stay accessible only to authorized colleagues.

According to Cisco, phishing is responsible for 90% of data breaches: human error is the main source of security threats. Fortunately, this is easily avoidable. Secure password sharing relies on tools like password managers and policies like regular password changes to prevent phishing attacks or accidental leaks from happening.

Why Secure Password Sharing

A study by Asana featuring 10,000 knowledge workers shows that employees use 9 business apps per day on average. Using passwords is part of daily work life. Sharing them with colleagues is still a reality in today’s collaborative environment, especially as a software developer.

But security remains a must. The risk of a data breach is intolerable, as it would take thousands of dollars in time, wages, and tools to fix. Password leaks being the main reason for data breaches, it is vital to prevent them by setting up the right tools and procedures for the whole company to use.

Sharing a password with the wrong tool is not only a threat to security but also an inconvenient time-waster:  36% of US employees write their passwords on a piece of paper! A regular worker has passwords scattered everywhere, and 75% of them declare feeling frustrated while keeping track of all of them. Secure password sharing, using one central location to store all passwords, can also solve this.

How To Share Passwords Securely

1. Strong Password Generator

24% of Americans have used a variety of common passwords like 123456. In other words, if you were offered all the emails of a given website, you could in theory brute-force 24% of the accounts by simply entering these passwords. No matter how hard you try to secure the way you share passwords, you still need strong passwords to begin with.

A strong password is a password that can’t be guessed using brute-force algorithms in a realistic amount of time. If a password is only composed of numbers and 5 characters long, you’d just need to try 59049 (9^5) combinations to break it. Trivial with a computer. If the password contained numbers, uppercase letters, lowercase letters, and symbols, and was 9 characters long, you would need 3 weeks to try every combination.

Here is a strong password generator in only 10 lines of Javascript code:

const password_generator = () => {
    const length = 10,
        charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!?,.;/:-=+{}",
        res = "";
    const size = charset.length
    for (let i = 0 ; i < length ; i++) {
        res += charset.charAt(Math.floor(Math.random() * size));
    }
    return res;
}

And of course, reusing passwords should be prohibited as they would represent a single source of failure: 66% of surveyed workers use the same password for more than one online account.

2. Password Storage & Encryption

Without an appropriate storage method, password strength is worthless. Having passwords on pieces of paper scattered around the office isn’t secure. Sending them in plain text through the file, email, or Slack doesn’t work either as anybody with access to your computer can see the passwords. What you need is a virtual vault―a database storing encrypted versions of your passwords.

Of course, you don’t want to store passwords in plain text for anybody with database access to see: you need cryptography. There are dozens of encryption methods out there, but the most commonly used is AES ―short for Advanced Encryption Standard, also known as Rijndael. It’s the standard encryption method used by the US federal government for military-grade protection of top-secret information, so you know it’s solid.

Each programming language offers its own implementation of the AES algorithm. In Javascript, for example, you have the AES 256 package that implements AES using a 256-bit key:

import aes256 from 'aes256'

const key = 'a passphrase'
const my_password = 'a secret password'

const encryptedPassword = aes256.encrypt(key, my_password)
const decryptedPassword = aes256.decrypt(key, encryptedPassword)

Without going into the details of the algorithm, given a secret passphrase known as “key” to encrypt/decrypt the password, the byte content of the password is transformed using a mathematical function (we say the password is hashed). Anybody with the key can decrypt the password, so you need it to be hidden from everyone―only the software program should be able to access it.

That’s what we use at Onboardbase to store secrets since it’s virtually unbreakable, combined with RSA encryption to manage the keys.

3. Password Rotation & Invalidation

Changing your passwords regularly should be standard practice, and yet only 34% of people surveyed by Google change their passwords regularly. More preoccupying, only 45% would change their password following a security breach. Not only is it necessary to include a password rotation and invalidation strategy in your secure password sharing policy, but also to provide an administration panel to make sure people actually do it:

• Ask employees to change passwords once a year or right after a data leak - Sending automated emails doesn’t take much effort so it’s the first step.
• Remove inactive accounts - to reduce the potential attack surface hackers can leverage. Make it a part of the offboarding process or review your tools once a month.
• Change your passwords after sharing them - Unsecure password sharing should automatically imply you changing your password after completing the transaction.

If your password manager has API access, you could even write a software program to automatically rotate your passwords on a monthly basis without the need for human intervention. It’s trivial to do using Onboardbase with the command line interface. All it takes is a single line to update all of your passwords in one go:

onboardbase secrets:update -p [PROJECT NAME] -e [ENVIRONMENT NAME] [SECRETS]

With SECRETS being a list of KEY=VALUE pairs separated by a space.

4. Password Injection & Passwordless Workflows

For developers, there are cases when you don’t even need to know the passwords to use them to connect to a third-party service: you can just inject them into your program at run time.

You’d typically use a .env file to store database logins or API keys to be integrated across the whole application. A .env file is simply a plain text file written in YAML (YAML Ain’t Markup Language) to define environment variables. The problem: sharing environment variables with fellow developers using a .env file aren’t secure―you can’t use Github or normal means of communication without generating security threats.

With a password manager like Onboardbase, you can inject passwords in software programs as environment variables in your CI/CD process without a .env file in just 3 commands.

After defining your password in your account dashboard, you can use Onboardbase CLI’s setup command to get started in a few seconds:

onboardbase setup

The command generates an onboardbase.yml file used to access the online vault:

setup:
	project: projectname
	environment: development

All you have left to do is to run the build command to inject password values from Onboardbase at runtime, removing the need to directly share passwords:

onboardbase build --command="your project's build command"

5. Context Awareness & Environment-specific Passwords

Having separate coding environments allows for seamless code releases throughout your product lifecycle, but it also means having different passwords for each environment. Not all passwords are equal: leaking a password used in a development environment has no impact on the company, whereas leaking production-grade passwords lead to terrible outcomes.

Properly testing and optimizing your development efforts is key to avoiding your code exposing security threats on your web server. Onboardbase makes it easy to add an extra layer of security by separating app secrets and login credentials by project environment. Onboardbase’s user interface also makes it easy to switch between several environments. You pick a project from your dashboard, define a new environment in a click, and navigate from one to another just as easily:

5 Password Managers For Password Sharing

Only 15% of US citizens use a password manager. But keep in mind resistance to change is real: if you want your collaborators to take secure password sharing seriously you need a centralized user interface where you can easily add and remove users without disrupting their workflow. Bonus point if you can even save them time and effort. That’s where password managers come in the picture.

1. Onboardbase

Description - Onboardbase is a collaborative and secure workspace for dev teams to share app secrets and credentials.

Pricing - Free for 2 users, then $6 per user per month for up to 20 users.

Pros:

• Simple user dashboard
• Collaborative and multi-environment features
• Designed for software developers with a CLI and SDKs
• Free tier

Cons:

• No built-in password generator

2. Lastpass

Description - Password manager and vault app with single-sign-on.

Pricing - $4 per user per month up to 50 users, 14-day free trial.

Pros:

• Responsive dashboard
• Password generation
• Mobile app & browser extensions
• 2FA authentication

Cons:

• No API access on the Teams plan
• No password injection feature

3. Passcamp

Description - Password manager that protects the privacy and safety of your company’s data.

Pricing - $4 per month per user for up to 100 users.

Pros:

• Password generation
• Web app & browser extensions
• 2FA authentication
• Password change history

Cons:

• No free trial
• No API access on the Teams plan
• No password injection feature

4. KeePass

Description - Free, open-source, lightweight and easy-to-use password manager.

Pricing - Free but you’ll need to pay for a web server to host it for your company.

Pros:

• Free
• Highly customizable with data exports
• Portable desktop app, no install needed
• Strong password generator

Cons:

• Old user interface
• A bit technical to use
• Complex password sharing requiring to install and manage a web server

5. Nordpass

Description - NordPass Business is an advanced business password manager to mitigate risks, improve productivity, and be prepared to meet cyber insurance requirements.

Pricing - $4 per user monthly up to 250 users.

Pros:

• Affiliated to NordVPN
• Easy-to-use dashboard
• ISO 27001 certified
• Data Breach Scanner

Cons:

• Need to schedule a demo call for the free trial
• Hard to integrate in a custom workflow

Share Your Passwords Using Onboardbase

Onboardbase makes developers’ lives easier by making sharing passwords simple and delightful. It’s the only tool you’ll need for secure password sharing throughout the whole software development lifecycle. A dashboard centralizes app configurations for the whole team, and a command-line interface is available to integrate passwords in any workflow. The best part? You can get started for free in a minute.