SV reX
MegaDork
11/6/23 1:29 p.m.
My company is suddenly asking staff to load Keeper from Keeper Security. Apparently it's a password storage vault. They've never asked us to load any similar software.
My phone, my computer, my iPad do not being to the company. They are my personal property, and cloud backups are done to my personal cloud storage.
I only use 1 password with the company. To log on to my emails. However, I use many other passwords (accessing bank accounts, apps, websites, etc)
Why should I allow this? Are there potential risks? Are there advantages?
Im not trying to act like a Luddite, but this feels inappropriate. Plus, they supposedly want it done TODAY. (Not a fan of being forced with time pressures)
Password managers are, in general, a strong benefit for security purposes. They allow you to use a much stronger password because you're no longer dependent on being able to remember and type it out easily, and most of them come with a random password generator. Keeper also can act as an authenticator app for multi-factor authentication, which is a strong upgrade from SMS-based multi factor authentication. My company uses 1Password for this purpose, and I use Bitwarden for my own personal stuff.
The biggest risk is that Keeper gets compromised, and your passwords along with it. This happened to LastPass, which is a competing product. Keeper does go into extensive detail about their architecture on their website, and SOC2 and FedRAMP certs are big plus. I'll also note here that nowhere does Keeper mention any kind of Mobile Device Management capability, so it's not spying on you or anything, just keeping your passwords.
Considering that Keeper's Enterprise plan also allows you to use it for your personal passwords, I'd take the win.
After awhile the plastic rings won't align when you slide them together...But you can still poke a hole in the plastic cover and inflate the clear plastic for maximum radical hijinks! Sorry.... what was the question?
I would recommend KeePass over whatever this Keeper thing is, it will do the same thing but likely better. KeePass is more of a file format than a program, there are many programs compatible with the file type. I use KeePassDX on Android and KeePassXC on Linux.
Is a computer required to do your job? Then they should buy one for you and any passwords used on it are all theirs. Personally there is not way my own tech gets any company required software loaded.
SV reX
MegaDork
11/6/23 5:53 p.m.
In reply to porschenut :
That's what I feel. I'm not comfortable giving someone else control over the passwords on my personal computer.
I don't know how Keeper works, but I am absolutely not ok with them managing passwords for my healthcare, financial, investments, apps, etc.
Yes, I need a computer. I have used my own for years (and they give me some $ each month for the use of it)
In reply to porschenut :
Yes. Installing any employer-provided admin or monitoring software on your personal devices gives them certain legal rights to your devices and any data you have on them.
SV reX
MegaDork
11/6/23 6:04 p.m.
In reply to nderwater :
Is a password keeper an admin or monitoring software?
SV reX
MegaDork
11/6/23 6:09 p.m.
Up to this point, the only company software I use is Outlook, Teams, and an app called Raken (which is web based, and lets me gather and save field info)
I also use MS Office suite provided by the company.
But they've never asked for anything that could track me or keep track of my passwords.
JThw8
UltimaDork
11/6/23 6:30 p.m.
Do all of your passwords have to go in it or can you just limit it to the company email password? If its all then yeah thats a big hell no. If its just company email then it would still be a hell no from me but I wont use a personal asset for work. I have 2 computers 2 phones, etc. If you want to stick with just one then it may be reasonable for them to ask you to use it for the password to their system only. I still wouldn't like it.
SV reX
MegaDork
11/6/23 7:33 p.m.
In reply to JThw8 :
I'm not sure of that.
Apparently it has the capability to capture biometric passwords too (like fingerprints or face). That doesn't feel right.
SV reX
MegaDork
11/6/23 7:45 p.m.
Apparently I will need a Master Password to access anything in the Keeper vault.
So, I will need a password to access the one company password I have.
I have a slightly different deal since megacorp provides me with a phone and a laptop but we switched to a similar password generator / keeper deal a few mo the ago. We use one called SDO (secret double octopus). It actually makes logging in and keeping track of passwords much easier.
I wouldn't sweat it, especially if they are compensating you in some way for use of personal devices.
If they comp you for use of your pc just get a work computer. I do money management on my PC and would never share passwords or even bookmarked sites with an employer.
mtn
MegaDork
11/7/23 7:22 a.m.
SV reX said:
In reply to JThw8 :
I'm not sure of that.
Apparently it has the capability to capture biometric passwords too (like fingerprints or face). That doesn't feel right.
Your face is already out there. Who has access to it? Unknown. But it is definitely already out there. Relevant article to the facial biometrics, if not the topic itself.
I get where you're coming from. I made the decision in my last job to have a separate work phone and personal phone. They paid for the work phone obviously. But it was a mistake, for me. My reasons were quite similar to yours, with the additional "I want to leave the work phone on my desk when I'm not working", but I just can't manage having 2 phones in my life, at least not right now - this is coming from a mental health perspective.
Ultimately after I read every letter of the agreements and documentation, I came to the conclusion that they didn't actually have access to anything on my phone, and if they did, they were breaking the law. I had confirmed this with our legal department too.
If you're that concerned - and I don't blame you - I would push hard for a company provided phone/computer.
I use Keeper for work, and I also use Keeper for my personal stuff.
At work I have a couple dozen different passwords that are needed to get into vendor systems, our internal hardware, my e-mail, etc. I don't need to know any of them other than my computer log-on credentials and the password for Keeper. You can use Keeper entirely within a web browser (don't install anything) and just copy/paste user names and passwords from there.
If you install the app, or the browser plug-in, it doesn't give your employer any oversight and tin-hat level access, it's just a more convenient way of getting to your credentials when you need them.
On my phone, I leave keeper logged in with my personal credentials (so that I can store things like my GRM password, and my gmail password, and my amazon password) but if I ever needed to access stuff for work, I'd log off my personal Keeper and log into my work Keeper. On my work machine I normally leave it logged in with my work account and then if I need any of my personal credentials I just use the Keeper website.
In short: for your work Keeper DON'T put in any of your personal passwords (youtube, gmail, xhamster, etc) and just use it to hold on to your work passwords.
The only things that the admins at work will be able to do are to disable your access to your Keeper, or to share/recover your saved passwords. So don't put anything into your work Keeper that you don't want them to see.
Old_Town said:
After awhile the plastic rings won't align when you slide them together...But you can still poke a hole in the plastic cover and inflate the clear plastic for maximum radical hijinks! Sorry.... what was the question?
i came here specifically for this content.
Great thread. Would read again.
SV reX
MegaDork
11/7/23 8:25 a.m.
In reply to the_machina :
Thank you. That's very helpful info.
JThw8
UltimaDork
11/7/23 6:05 p.m.
I should also note the company I work for is ULTRA paranoid on security and one of the first rules they have is no personal password vaults. They are all more of a security risk than a benefit. We do use a vault system for the infrastructure passwords but its not quite the same animal. Companies that are pushing personal password vaults probably need a better security team.
SV reX
MegaDork
11/7/23 6:10 p.m.
In reply to JThw8 :
My company (and their IT company) are clearly lacking in their ability to manage IT security issues
The last place I worked also had very tight security and we kept all work passwords in their centralized web-based password management system.
I work in healthcare and we use Keeper (I'm also in charge of security of said application). Work should give you 2 accounts, one for work and one for personal as part of the license agreement.
1. It is cloud-based primarily
2. you can download an offline copy of your vault as well.
3. sharing folders of accounts is super easy.
I have no complaints about it after learning the CLI administration of it all.
oh... don't ever forget your master password. They (Keeper) will claim it's unrecoverable.
If you have any more questions about the functionality, I'm happy to answer anymore questions from an admin level
Grtechguy said:
oh... don't ever forget your master password. They (Keeper) will claim it's unrecoverable.
I'd hope it really is unrecoverable, that would suggest that they're encrypting things properly.
Personal devices for personal use
Work devices for work use
If you need a phone for work, have them get you one or get a stipend to cover it.
If you need a laptop for work, same story
Me? I dont care about my work privacy because YOLO and I am a cheap bastard so I just use my work devices for everything. Havent bought a computer or paid a cell phone bill in 12 years.