Usernames and passwords are the most common form of authentication, and represent one of the first hurdles in securing a network. Mandating the use of strong passwords is one factor in a good password policy but another challenge is securely storing passwords. In corporate environments it’s not uncommon to have 5-10 passwords, each for a different software tool that you need to do your job. This leads to two big security risks, firstly people reuse the same password. A Google 2019 survey found that 52% of users reused the same password for multiple accounts. Secondly, as people have more passwords to remember they tend to store their passwords in easy to access places rather than try to remember it all in their head. People will write it down on sticky notes or a notepad and leave it on their desk, save it on their desktop and other insecure means.
This may seem unimportant but especially when you’re talking about executives, managers, developers or other employees that deal with important company information storing these passwords in places where other people can see them is a real risk for the company. The solution to this is to use password managers, which securely stores users passwords so that they don’t need to write them on sticky notes or other places where other people might have access to them. The only password the user needs to remember is the one that unlocks the password manager.
Also, password managers can also generate long secure passwords, which increases the overall strength of passwords. The Verizon 2019 data breach investigation found that 80% of data breaches are due to weak passwords. Password managers resolve this issue by automating the process of creating strong passwords.
Benefits
No need to memorize: When using a password manager you only need to remember the master password to unlock the vault. Anytime you need to login to an account, the password manager will auto fill the password for you.
More secure passwords: Password managers allow you to auto-generate passwords when you create an account. These random passwords are long, alphanumeric and very secure. They are much more secure than the passwords users generate themselves.
Alert to Phishing Sites: In the event that you are lured to a phishing site(a fake replica) of a site, the password manager will usually recognize it and won’t auto fill the password. This way it indirectly protects users from entering their credentials into a fake website.
They Save Time: By auto filling data for you, it’s not only more secure but saves you time. This doesn’t just extend to password, some extend to auto-filling names, email, phone numbers and credit card info.
Separates Accounts: About 52% of people use the same password for multiple accounts so a breach of one password compromises many accounts. By having a unique password for every account, in the event that one password is leaked it prevents your other accounts from being stolen.
Types of Password Managers
Desktop based: These password managers store your passwords locally on your laptop. This is advantageous for people that don’t want their passwords in the possession of a service provider. However, it can’t be used on any other device and if you lose that device all the passwords stored there will be lost. To mitigate this risk some password managers have an option that lets you sync devices when you connect to the internet.
Cloud based: These password managers store the encrypted version of your password on the service provider’s network and they are responsible for the security of your passwords. The biggest advantage here is you can access your vault from any device as long as you have an Internet connection. They come in multiple forms such as mobile apps, browser extensions and desktop applications.
Web Browsers: Chrome, Firefox, Internet Explorer(IE) and most browsers have integrated password managers. The biggest advantage here is the convenience of not having to install any additional software to achieve the same goal. However they have some limitations, Chrome and IE store your passwords in unencrypted form on your computer which isn’t a secure practice. Firefox does offer encryption capabilities but at the time of this post it lacks some features like generating random passwords and cross device syncing.
Password Managers to Consider:
*Please note that this is not an endorsement of any of these products, these are just suggestions that you can start your search with. Please do your own research before deciding on any particular product.
1Password: This is a very popular up and coming password manager, that allows for unlimited passwords, items and 1GB document storage. It works across MAC, iOS, Windows, Android, Linux and Chrome OS. It allows for two factor authentication for extra protection. You can try free for 30 days and beyond that it is $2.99 per month billed annually.
LastPass: This a cloud password manager that comes with extensions, mobile apps and desktop apps that work for all browsers and operating systems, it also supports two-factor authentication. All passwords are stored in encrypted form on LastPass’s servers and the LastPass extension or app locally decrypts and encrypts them when you login so even LastPass won’t see the password. It works on a freemium model, with the premium version costing $3/Month.
Bitwarden: This is an open source password manager that is a good alternative for those who don’t want to pay for a password manager. It offers a free account with all of its core features, 100% free of cost and premium features costs $1/month adding up to $10 per year.
Conclusion
Password Managers add a lot of security and convenience to your organization’s password policy. As best practice it helps to create a password manager policy that encourages employees to use password managers and outline it benefits. Many people use very insecure methods to store passwords, this and weak passwords are two of the leading causes of security breaches. A good password manager policy is one of your first lines of defence against attackers. Combine this with multi factor factor authentication, which usually can be enabled for free on many pieces of software and you have a good first layer of protection for your network.