Cohousing-L Mailing List: Re: Tracking Passwords or People with Passwords to Critical Systems (Sharon Villines)

[Jay KapLon (Jay]

> From: Sharon Villines <sharon [at] sharonvillines.com>
> Subject: Re: [C-L]_ Tracking Passwords or People with Passwords to Critical 
> Systems
> Date: June 26, 2023 at 2:38:21 PM EDT
> To: Cohousing-L <cohousing-l [at] cohousing.org>
> 
> 
> Jay, thank you for this response. Excellent solutions.
> 
> Aside from financial records from which hackers could steal money, 
> corporate/military security complicates community functioning beyond 
> reasoning. But what level of security is appropriate for a neighborhood 
> network that is sharing recipes for pecan pie, complaints about the dumpster 
> being too tall, and whether signs are needed or not?

Sharon, i think your experiences would echo a lot of those of many technical 
people in cohousing, and other volunteer groups, around passwords. Defiantly 
there are credential practices that need to be tailored to cohousing 
expectations and, importantly, cohousing needs and realities.

After the always frustrating startup work, good use of a password manager can 
ease a lot of the frustrations you list. As you know and stated, they can 
automatically create, fill in, and remember good passwords…being ones like 
vbr4#aU7x#JT^Pm^k33j. (If you are never typing a password there is no need to 
have something you can type.) A password manager can share passwords in a more 
secure, and less error prone, way than face-to-face. They allow anyone in the 
group sharing the password to change the password at any time without anyone 
else even needing to care. (The changed password will be in everyone’s password 
manager account the next time they try to log in to the site that was changed.)

Password managers can now even use finger prints or faces as the master login 
for a user, thus eliminating the need for the general members to remember 
anything to do with the community’s passwords. Everything stays in the password 
manager, is shared with the people who need that specific password, and 
passwords can all be long and random. You could even change them as often 
desired, but there really isn’t much use in changing passwords on a schedule. 
(Changing passwords only helps if the website servers themselves are hacked and 
the password files taken, but 2-factor authentication solves that issue.)

Lots of passwords just don’t matter, as you say. But there are plenty that do. 
The association’s bank logins, credentials for the domain names, the ones to 
your security system, I’m sure a review of the credentials list for the 
association could find a number that someone could make a mess of if breached. 
But a lot of the ones we share in the password manager are just so people don’t 
have to ask all the time…what is the password to this site?

My personal motto is; if you can remember your passwords, you are doing it 
wrong.

-Jay