Although storing passwords in plaintext anywhere online is fundamentally the opposite of security, routine data breaches at some of the world’s biggest companies haven’t dissuaded some users from engaging in this obviously terrible practice.
Case in point: As Vocativ reported on Thursday, the company behind Trello, the popular workplace app, was forced to implement privacy protections on some users’ behalf due to their own total lack of regard for basic security controls.
First, Trello is a handy web-based app best described as a tool for organization and collaboration. It’s a convenient way to manage big projects by creating lists, sharing documents and assigning tasks. A newsroom, for example, might use a Trello “board” to keep track of what reporters are working on; editors can use it to assign articles and writers can use it to file them. And, of course, these boards can be protected with a password. If you can’t seem to get organized and stay on task, give it a whirl.
Trello is absolutely a terrible way, however, to store and share passwords, which is what a lot of people have apparently been using it for. Shame!
According to Vocativ, this presents a serious problem: A Google search for “passwords” restricted to Trello’s website revealed credentials stored by a small portion of Trello’s user base. What’s more, some of the boards exposing passwords were not set to private—even though that’s the default setting. More shame!
Trello attempted to help these naive, if not negligent, users by password protecting their boards for them. “Trello recently identified these boards and has taken steps to change their boards to private,” the company said. But this did not immediately fix the problem. A Google search will still display stored usernames and passwords in the short descriptions offered below each result. (Warning: Logging into a system you’re not authorized to access may result in your arrest.)
“Trello takes user privacy very seriously and all Trello boards are private by default,” a Trello spokesperson told Gizmodo. “In a select few cases, some users changed the privacy settings on their boards to public and thus made the information on those boards publicly available to search. Trello recently identified these boards and has taken steps to change their boards to private and uncache their data from Google.”
It’s not immediately clear how quickly this problem will be resolved, but several companies reached by Vocativ had managed to resolve the issue before the report went live. If you are one of the people using Trello to store lists of passwords, stop it and go change your passwords.
If you’re looking for a better way to share passwords among your employees the answer is, well, don’t. There are several good Secure Identity Management applications online offering a single sign-on (SSO) option instead. Simply put, you can give each of your employees a single, unique password granting them access to numerous applications. This as opposed to handing them dozens of master credentials to everything your company or organization holds dear.
For a good SSO application, give Okta a try. I would advise you, however, to avoid OneLogin right now, as the service is—once again—having trouble with its own internal security.
[Vocativ]