Adam,
So glad to hear you're headed down the road to a full enterprise rollout of a PW vault. I couldn't support this more as it provides three (at least) critical functions that are usually very much in need at associations.
First, it should stop staff from storing PW's in files. I always recommend using a tool to do a PW file search across the network after getting the vault up and running to ensure everyone has migrated. Secondly, it should train folks to stop creating weak passwords they feel they must remember and to start generating strong passwords that no one remembers. Critical to good security. Lastly, it also stops the sharing of passwords via email or Teams or whatever as the vaults manage this as well.
I like 1PW quite a bit, but I'm also a big fan of Bitwarden enterprise. I do think the extended family plan is a nice bonus with 1PW - Bitwarden has similar feature.
Another feature I find very valuable for organizations is the secure mail Send function with Bitwarden. This allows all enterprise users to easily send encrypted, secured emails. Hey event department, let's start using that to send member, attendee, and registration files, OK? :) 1PW has a similar feature, but it's through an integration with FastMail.
Regarding shutting down browser PW saving, I believe this is a must. It's way too confusion to introduce a browser-integrated vault without turning off the browser functions. This does mean, unfortunately, that extra help will be required to migrate users PW from their browser to the vault. As far as causing a revolt, I suggest ensuring you have leadership support/buy-in. They (either the CEO or the leadership team) should be the ones announcing to the company that this is going to happen and why it's important. If they openly support it, the grumblings will be quieted (as much as possible).
Good luck!
Brian
------------------------------
Brian Scott
President / CIO
ClearTone Consulting LLC
Frederick MD
678-643-5593
------------------------------
Original Message:
Sent: Jun 13, 2023 09:19 AM
From: Adam Kuhn
Subject: Password Manager Buy-In - and browser controls
I'm in the process of deploying a password manager (1Password) to staff at my org. We switched over from LastPass for obvious reasons. Of our approximately 65 staff, we only had 10 staff using LastPass for the purpose of business continuity - sharing passwords of critical systems using a password manager administered from a centralized console.
Now that those 10 are switched over - I am extending the project to all staff - upon the request of senior management. The more I play with 1Password, the more I like it - and the more I think that a password manager (whichever you chose) can contribute to creating a culture of security. A big bonus is that staff are extended a free family plan as part of the subscription. I hear that Keeper is also good.
I've crafted some promotional emails and invitations - but NOT getting a lot of traction for folks to sign up. I'm considering the possibility of controlling the password management capabilities of Edge and Chrome to make the transition to a password manage more forced - assuming that I'm not run out of town in the process. The fact is that with both systems turned on (browser password manager and external password manager) there's confusion that makes the experience poorer.
So the question to the group is - have you tried something like this? Have you been able to roll out a password manager and get all staff to sign up for it? If so - what was the critical factor?
BTW - here's the 1 minute Ryan Reynolds ad for 1Password. It's worth it: Cybersecurity and Skin Care - YouTube
------------------------------
Adam Kuhn
Director, IT
202-772-3002
akuhn@fia.org
------------------------------