When LINUX systems engineer Mark Miller first joined the NASA Goddard Space Flight Center, NASA Goddard was managing passwords with a tool called Cryptvault. While a ‘good enough’ tool, it was written in ColdFusion (CFML), over 15 years old, and created by a developer who had long departed the organization. It was also locked into one system and had an associated encryption that was written for a limited 32-bit code base. When the time came for NASA Goddard to migrate away from other legacy systems, the IT team started looking for a replacement password management.
Identifying a secure, holistic way to share secure information and passwords was a critical task for teams at NASA Goddard. While government agencies have always been targets of cybercrime, particularly by nation-state actors, the 2022 SonicWall Cyber Threat Report showed a large increase in all forms of cyberattacks against the U.S. government. And, the link between weak passwords and data breaches is undeniable, with a succession of Verizon Data Breach Reports highlighting the connection. Real-world examples also prove illustrative: just look at SolarWinds and Colonial Pipeline for more evidence.
Mark’s team at NASA Goddard sought out a site that could support multiple users, offered an intuitive Web UI, and was easy to share. Also very critical was a platform that enabled local data storage. While cloud technology offers extensive benefits, it doesn’t give organizations control over their own local data. The need for local storage eliminated a lot of contenders because many password management vendors are only available in the cloud.
While the team considered building a password management tool in house, it lacked the security experience and coding expertise to pull something together. Additionally, the development team was already committed to existing projects and didn’t have the bandwidth to take on more. Cost was also a major consideration. Enter Bitwarden.
Bitwarden met all of the requirements NASA needed. It offered new, unexpected features - such as search and a password generator/passphrase generator - and encrypted storage, along with a management backend.
In the event someone leaves the organization, Bitwarden offers an excellent way to transfer information to the replacement employee. It also created a culture of ‘process’, a huge boon for the IT team. Putting a process into password management means that it becomes second nature for the team, as they grow accustomed to inputting their passwords into the password manager in a coherent and organized fashion. It also obviated the need to save credentials across systems and browsers.
In the future, the team is eager to make use of the Bitwarden SSO enterprise integration. It is also considering whether organization devices - such as phones used onsite - are eligible for Bitwarden. Lastly, it is considering expansion possibilities for other NASA divisions.
“Passwords are here to stay,” said Miller. “They are not going anywhere. There are just too many service accounts or API keys or other secure credentials that need to be shared within an organization in order to keep that organization operational.”
Visit opensourcesecuritysummit.com to learn more about this annual conference.