Although storing passwords in plaintext anywhere online is fundamentally the opposite of security, routine data breaches at some of the world’s biggest companies haven’t dissuaded some users from engaging in this obviously terrible practice.
Image: Jim Cook
Case in point: As Vocativ reported on Thursday, the company behind Trello, the popular workplace app, was forced to implement privacy protections on some users’ behalf due to their own total lack of regard for basic security controls.
First, Trello is a handy web-based app best described as a tool for organisation and collaboration. It’s a convenient way to manage big projects by creating lists, sharing documents and assigning tasks. A newsroom, for example, might use a Trello “board” to keep track of what reporters are working on; editors can use it to assign articles and writers can use it to file them. And, of course, these boards can be protected with a password. If you can’t seem to get organised and stay on task, give it a whirl.
Trello is absolutely a terrible way, however, to store and share passwords, which is what a lot of people have apparently been using it for. Shame!
According to Vocativ, this has presented a serious problem for the company: A Google search for “passwords” restricted to Trello’s website revealed countless credentials stored by a foolhardy portion of Trello’s user base. Many of these boards were not themselves secured by a password. More shame!
Trello attempted to help these naive, if not negligent, users by password protecting their boards for them. “Trello recently identified these boards and has taken steps to change their boards to private,” the company said. But this did not immediately fix the problem. A Google search will still display stored usernames and passwords in the short descriptions offered below each result. (Warning: Logging into a system you’re not authorised to access may result in your arrest.)
It’s not immediately clear how quickly this problem will be resolved, but several companies reached by Vocativ had managed to resolve the issue before the report went live. If you are one of the people using Trello to store lists of passwords, stop it right now and go change your passwords.
If you’re looking for a better way to share passwords among your employees the answer is, well, don’t. There are several good Secure Identity Management applications online offering a single sign-on (SSO) option instead. Simply put, you can give each of your employees a single, unique password granting them access to numerous applications. This as opposed to handing them dozens of master credentials to everything your company or organisation holds dear.
For a good SSO application, give Okta a try. I would advise you, however, to avoid OneLogin right now, as the service is — once again — having trouble with its own internal security.
[Vocativ]