You wouldn’t ask Anne in accounting or Sam in sales to configure your firewalls, install an encryption solution or apply security patches. Yet most companies consistently make regular employees responsible for one of the most critical pieces of security — the password.
Spoiler alert: It doesn’t work very well.
Despite greater focus on improving security awareness in the workplace, poor password practices continue to undermine data protection. More than 80 percent of all confirmed data breaches involve weak, default or stolen passwords, according to Verizon’s 2018 Data Breach Investigations Report.
There is a better way. Simple and effective password management solutions can boost security by eliminating the burden on end-users to create, type, change and remember passwords.
Password managers encourage safer practices by allowing users to create and store unique passwords for all their accounts. Most work by encrypting a list of passwords with a single master password that only the user knows. The best also include a built-in password generator that ensures passwords are complex, difficult to guess and changed frequently.
There are a variety of password managers available, ranging from low-cost and even free consumer-grade solutions to advanced enterprise-grade solutions. They can come in the form of installed software applications, locally accessed hardware devices or as online services accessed via web portals. They are all fairly easy to use.
LastPass, Dashlane, Keeper and Zoho Vault are among the many password managers with free editions. However, most free versions come with some restrictions. They generally limit the number of passwords that can be stored, the amount of encrypted file storage available and the number of devices that can be used. The professional editions of these solutions offer more robust features, including AES-256 encryption, salted hashing, two-factor authentication and a random password generator.
Forrester Research says you should look for these core capabilities when evaluating password managers:
Secure storage of passwords and private information. The solution should provide a secure vault of password information, either locally or in the cloud for easier mobile access. The vault enables autofilling of credentials across devices and can enforce other requirements such as password complexity and password rotation.
Support for both personal and business password vaults. The ability to quickly switch between work and personal vaults discourages password reuse. This also allows security teams to enforce stronger password policies for work accounts and users to still access their personal passwords after leaving the organization.
Multi-device syncing. This allows you to use a single account across office and home desktop computers, laptop, tablet and mobile phone. Any password changes are synchronized to all of your linked accounts in real time, reducing the time and trouble of submitting help desk reset requests.
Centralized management. An administrative console will make it much easier to deploy, manage and monitor password managers across the organization. The console will allow administrators to create roles and teams, enforce management policies, invite and enroll new users, and offboard users without risk of losing critical business information.
Application integration. Many solutions also include dedicated APIs that administrators can leverage to secure passwords embedded in app-to-app connections, scripts and other locations across platforms.
Passwords have long been an essential security tool, but password overload is limiting their effectiveness. Users are being asked to adopt more and more complex passwords, avoid reusing them and change them frequently. Password managers can relieve users of much of this responsibility and deliver a more sophisticated and practical solution.