Yes, your organization needs a Password Manager! Now that we’ve answered one of the most frequently asked questions, let’s spend the rest of this blog post explaining why. How else would a person keep track of the 191 passwords an average employee needs to manage?
Here are some of the possible solutions for managing the tens of passwords used:
- Have an eidetic memory.
- Write them all down.
- Reuse the same password for multiple sites.
- Store them in your contacts/notes/some other application.
That’s great if you have an eidetic memory. This blog post is for the rest of your organization.
Writing down passwords
Writing down passwords is not necessarily a bad idea. Especially for someone who is unlikely to be targeted for attack, this solution could possibly work. But only if the passwords are stored in a secure, locked location. However, there is no way you could make sure that everyone in the organization is following this practice.
If your company is a likely target of an attack, then writing passwords down could be a bad idea. Likely targets at an organization include high net worth individuals, people who have access to valuable intelligence or have a close relative that has stolen in the past.
Even if some people are not likely to be a target, what happens when the paper is lost or destroyed? I hope your staff enjoys resetting passwords!
Reusing passwords is a terrible idea. Terrible like running with a chainsaw, terrible.
It is difficult to remember lots of passwords, so often people use the same password again and again.
An attack scenario that plays out again and again is the following. A single site is compromised. It may not even be important to anyone. It could be a site that your employee created an account for in order to perform a one-time download. Now the bad guys have their email address and the password that they use everywhere.
Next, the attackers try the same email address and password combination for every site they can think of. They try email, the company portals, social media, airline, e-commerce, and financial sites. If they successfully log in, then they extract the maximum value that they can from these sites at the employee’s expense.
Soon enough the person’s entire digital identity has been compromised! Reusing the same password is dangerous, for the individual and the company.
Store passwords in a contact, notes application or Excel
If people in your organization store passwords in the contacts or notes application or Excel then congratulations, your organization is using a password manager! Here is the bad news… You are using a really bad password manager. The passwords are note encrypted. You are storing your most confidential information in something that it was not designed for. This data may be replicated all over. If a bad guy were able to compromise this application then they would have access to all of your passwords.
Several high-profile cybersecurity breaches occurred in part to storing passwords in Word and Excel documents. For instance, the Sony data breach included a directory named “Password” that contained Word and Excel files with passwords!
If you stored passwords in another application, then you have already made the leap that you need a password manager. Now the next step is to use an application that is designed for the task.
Should you put all your password eggs in one password manager basket?
While you might recognize the problems identified above, you may still be skeptical about using a password manager. The main argument being- The password manager isn’t necessarily impenetrable. So, if your master password is compromised, the bad guys would have all of your credentials.
A password manager doesn’t eliminate risk. It does significantly reduce it for most use cases. If you do use a password manager, then you should pick an absolutely killer password. Remember that this password lets someone into all of your other passwords.
Before you balk at a password manager, let’s review the key benefits:
- Passwords are stored in an encrypted form.
- Passwords are replicated between devices ensuring access from mobile or desktop
- Gives employees the freedom of using a different password for every account without having to remember every one of them.
- Gives a way to come up with different, long, and complex passwords.
- Accessible on a variety of apps and devices.
- Great at reminding you all of the sites and applications you use. Especially the infrequently accessed ones.
The primary benefit of using Password manager for your organization is that you are changing people’s security behavior. Your employees can truly protect the way they are using the web and manage their passwords- both professional and personal.
How to pick a password manager?
If you are asking this question, CONGRATULATIONS! You have taken a major step in the right direction.
There are several options available in the market. To make sure that your business uses the best product it is important to evaluate your needs and pick features you would require. For example, if your company uses services that require multiple users to access it, you would go for a password manager that lets users create groups for shared access so that employees can be up to date on the password changes and remove access for those who leave the company.
Picking the right technology is the key. Between SaaS and on-premise solutions, SaaS is a better option for small industries. You only pay for what you need. On the other hand, on-premise solutions are a flexible and reliable option for large enterprises since you pay for the hardware and the license is completely owned by you.
What to look for in a corporate password manager:
- Cross-platform. The password manager should work on multiple devices and operating systems and have data syncing feature to provide the flexibility to retain the same security between different platforms.
- Admin console. A centralized admin console lets you manage employee access and set company-wide policies. The added benefit is the ability to track login attempts, valid logins, and unusual activities. Make sure your password manager allows you to customize the admin privileges.
- Bulk password changer. Having a bulk password changing feature will allow you to quickly change a large number of passwords for your organization in the event of an organizational change or a security incident.
- Password storage. You can either store your passwords on locally or remotely on a company’s server. Most managers first encrypt the passwords locally before storing them on cloud. So, it should be safe for a majority of users. There is still a remote possibility that the passwords could become compromised. So, if you hate the idea of having your organization’s passwords stored on one site in the cloud, there is always the option of storing them locally.
- Shared credential management. The ability to create groups for shared access credentials will not only enable easy on-boarding but will also make managing employee permissions easier.
- Remote Sessions. If your organization deals with remote access demands from a number of different users, this would be an essential feature. It would allow the authorized users to launch completely emulated RDP, SSH, and Telnet sessions without any end-point agents, browser plug-ins, or helper programs.
- Separate vaults. Having separate vaults for personal and business passwords will allow admins to monitor and regulate corporate passwords without compromising the privacy of your employees’ personal space.
- Multi-factor authentication. For an added layer of security, many password managers also provide multi-factor authentication to limit access to the vault.
- Active Directory (AD)/LDAP integration. AD and LDAP’s single sign-on capabilities can be extended to the password manager. Leveraging the AD setup while implementing a password manager would save time in the on-boarding process.
- Auditability. The Password Manager’s audit function can demonstrate who had access to systems when an incident occurred.
A password management tool will likely improve your organization’s cybersecurity posture.
Need help with a password manager project or with your overall cybersecurity strategy? Give us a call at Fractional CISO today. We can be reached at (617) 658-3276 or email firstname.lastname@example.org and find out how we can assist you.