Here's Why You Need A Password Manager

My mother bragged to me once that she is very good with technology. When I (her free tech support) raised an eyebrow at this, she pulled out a notepad that had handwritten notes on how to change the TV input from cable to the DVD player. Before she got to that page, she flipped through three other pages of her usernames and passwords for everything from her email to her online bank account. Every password was some variation of the dog’s name (not her son, mind you) and most of them were the same. I took a deep breath and began to explain password managers to her.

Now, there is a lot of fluctuating guidance on what should be required in a password, but two major points have been constant:

1. The password should not be “guessable” in that it should be unique or complex enough to avoid being compromised by a dictionary attack or through a brief Facebook search (cough cough, the dog…)
2. There should be a unique password for each individual system login

Every company with a defined security program has something along these lines listed for password complexity requirements within their policies and when asked in an audit, will state that both are required for all employees. Stating that you have a unique password for every system is one of the most common lies, right up there with, “I have read the terms and conditions”. This is where the beauty of a password manager comes in.

How a Password Manager Works

Password managers provide a digital vault in which all usernames and passwords are stored to be retrieved and filled in when needed. The tools can also automatically generate a new password of required complexity when requested to do so. With a password manager in place, not even the user knows their passwords. There is no more trying to remember the password and no more typing it out (with growing frustration after multiple attempts), as password managers often include autofill features, detecting what site or application you are using and inputting the corresponding password you have stored in the password manager.

Suddenly, the growing frustration from employees over the constantly increasing security requirements surrounding passwords is alleviated with one solution while you are simultaneously increasing your security posture and reducing the risk of a breach. It is rare to be able to add a security control that actually makes your employee’s life easier (passwordless login comes to mind).

The most common objection to the implementation of a password manager is that it will be difficult to train employees on the new system, and yes, that is an obstacle. However, going back to the story earlier, within 48 hours my mother had her entire digital life secured in a password manager. If she can do it, so can your employees.

Below are some answers to come other frequently asked questions and objections.

What about the recent password manager data breaches I have heard about? Unfortunately, there have been reported breaches by password manager providers. It is not surprising that they have been targeted considering the high concentration of valuable data. However, most password managers utilize what is called zero knowledge encryption. This means that the data is encrypted on the provider side but can only be decrypted with a key that the client stores on their side. Therefore, if the data is breached by a malicious actor, they would not also be able to read it unless they successfully target the specific client to get the key as well.

Can password managers be centrally managed?

Most enterprise password managers can be centrally managed by your IT department. This means that password complexity, expiration, retention, and other policies can be enforced via a central platform. Some even have the ability to alert the admins if a weak or reused password is detected, allowing them to reach out to the end user to make a change. All of this without the ability to view any individual’s passwords.

How accessible are password managers? What if I switch computers or travel?

Most password managers have a browser plugin and mobile app in addition to a desktop client, with the option for users to utilize any or all of them. This means that when accessing sites and applications either on the computer or on your mobile device, passwords can be automatically filled or generated when needed. Cloud storage allows passwords to be accessed securely from anywhere.

What other features do password managers offer?

Depending on the password manager solution you choose, there are several additional features. This could include the ability to store the answers to security questions, which is a great bonus as your answers to security questions should be as random as your passwords to remain truly secure. Other features include storing identity information (email, address, phone number, etc) for auto-filling, credit card information to have as a digital wallet, and secure password sharing between users if needed.

Password managers are just one control in the toolkit of security measures we at Compass IT Compliance advise our clients on each and every day. Should you have any further questions regarding password managers, password policies, or any other aspect of a robust information security program, please do not hesitate to reach out to our team!