Think about your bank accounts, work-related sites, social media, online retail accounts, cloud services, travel sites and hotel sites — each one likely requires a login and password. When I compiled all my accounts, passwords and pins a year ago, I realized I had more than 200 logins.
To keep track, most users reuse the same passwords over and over. However, that poses a major threat. If a hacker gains access to one account, they can use the same credentials to access many more accounts.
Cybersecurity experts are adamant that every password should be unique and of an appropriate length and configuration. That’s where password managers come in.
Jump to:
A password manager is essentially an encrypted vault for storing passwords that is itself protected by a master password. To gain access to the passwords stored in the manager, a user has to know the master password; in many cases, a second authentication factor is required, such as a code or a biometric input.
Password managers can be used to store passwords for easy recall, but one of the best features of most password managers is their ability to generate passwords. A longer password is more secure and harder to crack, and the passwords generated by password managers are combinations of random numbers and letters that are very secure.
Another important feature of most password managers is the ability to automatically fill in passwords for stored sites. By using that feature, you won’t have to type anything but the master password, and it’s also a good way to avoid having passwords stolen by keylogging malware.
Furthermore, a good password manager allows you to sync your data between devices so you won’t have to worry about losing information stored on your desktop if you’re using your smartphone, for example.
Password managers take the hassle out of digital life by putting all sensitive credential information in one secure, easy-to-access location.
Be aware, though, there are many different types of password managers. There are solutions designed for individuals, families or small businesses and there are those solely for enterprises. Organizations should avoid the consumer versions and opt for those that offer enterprise features as well as the ability to manage all business-related passwords for each user.
Enterprise-class tools can control and secure credentials for any and all privileged accounts, services, systems and applications. As such, these tools can differentiate between the different levels of access that may exist within an organization, add extra layers of protection to privileged accounts and enforce policy across the organization as to when passwords must be changed, as well as their length and configuration (capitals, lowercase, numbers, symbols, etc.).
In addition to the distinction between enterprise and consumer tools, there are also password managers that store passwords on a local device or server and those that store them in the cloud.
There are pros and cons to both options:
Most password managers that utilize the cloud can have their sync functions disabled if needed to avoid the risk inherent in cloud storage. The same isn’t true for local storage options, though: If you seek out an option with a local password vault, you won’t be able to sync it to the cloud.
There is often confusion about whether to use a password manager or shared account password management (SAPM). Both are distinct and have different roles in the enterprise, and both can function side by side. Password managers are designed to store and give easy access to individual accounts; these tools shouldn’t be used to store administrator credentials, shared accounts or other business accounts that aren’t assigned solely to one user.
SAPM is designed to manage and control shared accounts. Depending on the SAPM product, shared account passwords are either given out once a user signs in and are reset after logout or the passwords are obscured from a user so they can use the privileged account without ever knowing the password. It is a good idea for large businesses with shared privileged accounts (domain admins, root, etc.) to implement an SAPM product along with a password manager. Corporate password management tools can store credentials for important websites and be linked to Active Directory, making the entire process a single sign-on.
Whatever form of password manager is utilized, the goal is to eliminate bad habits like using the same password for multiple accounts, using simple passwords and writing them down on sticky notes, spreadsheets or word documents. If long, complex passwords are used, it also greatly reduces the bad practice of users giving someone else their password, thereby reducing the risk of a data breach.
Enterprise password managers reduce the risks associated with credential compromise by safeguarding access to account passwords and various types of authentication credentials, such as Secure Shell keys. This provides IT or security management with complete control over both system and application access through what is known as live session management. Administrators are then able to monitor, detect, record, lock and document suspicious behavior. Enterprise-class password management tools also give them the ability to terminate sessions for specific users if anomalous behavior or traffic is detected.
Automation and monitoring features within password managers keep track of the passwords in use and provide the means to enforce strong password policies for both humans and machines. For example, if the organization requires certain accounts to change their passwords every month or every quarter, the system sends out automatic messages to warn users and includes policing features to enforce compliance.
Figure A
Perhaps the greatest benefit of a password manager is the ability to enforce password hygiene by making all users use complex and lengthy passwords that are difficult to hack. That said, the greatest drawback of password managers is that they can act as single points of failure. By knowing the master password, someone can then access all other linked accounts.
Benefits of password managers |
Drawbacks of password managers |
---|---|
Enforcement of password hygiene. | Single point of failure. |
Use of long and complex passwords. | Anyone with the master password can access all other accounts. |
Passwords that are almost impossible to hack by brute force techniques. | Users may be unhappy with long complex passwords. |
A variety of security features can be incorporated into password managers. | Users may face additional authentication methods. |
Password managers that cater to large enterprises and offer the most security features are typically the most expensive. Therefore, if a password manager is free, you can expect it to be stripped down to the basics and missing key capabilities that enterprises need. Don’t expect much in the way of security, either.
Here are some key features to expect in an effective password manager:
There are many consumer password managers around. They are great for individuals, families and small businesses. But consumer password managers lack the management capabilities that organizations demand — such as password monitoring and enforcement throughout an organization, requirements to change passwords according to a certain timeline and the ability to enforce compliance for password length and configuration. Hence, you will pay more for enterprise-class tools compared to something more aimed at the consumer market.
There are various security capabilities that are added by vendors to safeguard their password systems. These include multi-factor authentication, encryption, SSH keys and the ability to detect anomalous behavior and lock down systems. Some password management systems offer none, some offer one or more and a few offer all of them. Pricing is impacted by the security feature set. Some vendors charge extra for security add-ons and options. Others bundle security into the overall price.
AI has taken the world by storm. Password management vendors have taken note. They are adding AI to their tools to detect strange behavior that may indicate an attempted breach. They monitor user behavior to recommend the best way to adjust policy, dictate training and monitor password compliance. AI and analytics features are typically options you pay more for. However, some vendors have begun to include them in their overall price.
Data privacy and sovereignty are hot topics right now. Many countries and regions have implemented tough laws that can levy hefty fines if data is transmitted outside of their jurisdiction. Therefore, password managers should include features that enable them to comply with application laws pertaining to privacy and sovereignty.
Most password managers worth using utilize AES-256, which is generally considered one of the strongest forms of encryption available — so strong that the US government uses it to transmit top-secret information. However, there are tools around that either omit encryption or leave it up to the user to implement it.
The odds of a hacker attacking your device and stealing data from your password management app are slim, and it’s even slimmer that they’ll be able to decrypt that data. A couple of years ago, a security architect found it would take one billion years to brute-force crack AES-256 encryption. However, as hackers utilize the processing power of modern GPUs and harness AI in their nefarious efforts, that time link has shrunk considerably and continues to do so. Hence, passwords are getting longer and more complex to thwart even the best hackers. But the time it takes someone to crack a password shrinks to zero if the hacker has your master password and you aren’t using two-factor authentication, so be sure to favor password managers that offer MFA as an extra layer of security.
SEE: All of TechRepublic’s cheat sheets and smart person’s guides
As with any technology, nothing is foolproof. Hackers have gained access to the databases of password management companies and made off with user data before, and it’s entirely possible that it could happen again.
What’s important to note isn’t the incidents that have compromised user security, though — it’s the alternative. Storing your passwords in a web browser means the data is unsecured. If the hacker gets into your computer, those passwords are compromised and can be used to access bank accounts and other sensitive files.
Password managers are the best way to keep track of all your internet logins. You won’t find a better way to safeguard your information, even with some perceived flaws. When password managers include MFA, encryption and other security safeguards, the chances of compromise drop dramatically.
The good news is that there are many excellent enterprise password managers out there. They include the features that enterprises demand, as well as plenty of security safeguards.
The bottom line is that no enterprise interested in keeping its data and applications secure should ever be without a password management system. Those failing to do so are setting themselves up for the inevitability of ransomware attacks, malware infections and embarrassing headlines about the state of their security.