One of the most frequent questions we get from clients is “How do we pick the right password manager for our organization?” Using a password manager is a safe and effective way to manage your passwords. With any tool, application or technology you implement at your organization, it’s important to do your due diligence. Review the benefits of the tool and understand the risks. In this blog, we’ll share guidance so you can choose a password manager that works for your business.
What is a password manager?
A password manager is a tool that makes it easy to adhere to password management best practices. It can help users discontinue bad habits, like using weak passwords, storing passwords in insecure locations, and reusing the same password for multiple accounts.
Password Managers typically sync across multiple devices. This allows you to access your passwords securely on your phone, laptop, or other device. They also generate strong passwords based on best practices. Many even suggest you change your password based on associated security incidents or data breaches.
What to look for in a password manager
Like any technology, using a password manager is not without risk. When choosing a password manager, look for key features that ensure the confidentiality, integrity, and availability of your passwords. Pick a platform that makes security easier, not a chore.
Some technical features to look for are:
- Encryption: Look for a password manager with robust encryption standards. AES-256 bit encryption is currently the industry benchmark. This ensures your data can’t be accessed without your master password. A backup of customer vault data was taken in a password manager breach in 2022. Fortunately, that data was encrypted by AES-256-bit encryption. Because of this, passwords were kept secure and impacted customers had enough time to reset their accounts without their passwords being accessed. It’s important to highlight that threat actors who have access to the data will still try to brute force their way into access. This is why you should keep a strong, unique passphrase as your master password. In the event of a password manager breach, always reset all the passwords stored there.
- Multi-factor Authentication: Another essential feature is Multi-Factor Authentication (MFA) support. This can stop a threat actor from brute forcing your password (note: always use long, complex passphrases!) or using one obtained through other means such as phishing or social engineering. Just remember, never accept unsolicited MFA prompts. Out of an abundance of caution reset your password if you receive prompts you didn’t request.
The password manager should use these best practices:
- Password Health Checks: Good password managers include features like password health checks. These check the complexity of your passwords, point out password reuse, and notify you of passwords that have been compromised in public breaches. These are essential features. Password health checks can help you make sure all the accounts that you store remain secure.
- Security Audits: Take time to research and verify that any password manager you are considering undergoes regular, independent security audits. You want to ensure it adheres to the highest security standards. Also, actually read the terms of service! They’re long (and boring) but they contain crucial information about how your data is protected and handled.
More key features to review:
- Storage Options: Decide between cloud-based and local storage options. For a cloud-based option, look for reliable synchronization and backup options along with secure methods to recover your account. The password manager should never store your master password. With a cloud-based option, make sure it will work well with your workflow and work seamlessly across all the devices and platforms you use. These tools should be making security easier not harder.
- Costs: Once you have identified a list of password managers that meet the security requirements, evaluate the costs vs the features. Some platforms offer free versions – but they may lack essential features for your needs. As with any tool, prioritize your needs and the solution that fits them best.
- Reputation: Do additional research into the reputation of the password manager’s company. Focus on their track record in security, the reliability of the platform, and customer support.
Risks of password management tools
Being diligent and checking for these features in a password manager helps minimize many of the risks associated with using a password manager. However, it’s important to be aware that there will still be risks like:
- Master password risk: The master password is the “Key to the castle”. It accesses all of your stored passwords, so it needs to be strong. If your master password is weak or compromised, all your passwords could be at risk. This password should be a complex, long, passphrase. Never reuse or share your master password.
- Data Breaches: If the password manager vendor suffers a data breach, your data could be put at risk, especially if that data is not encrypted. Identifying reputable companies with good security practices minimizes this risk, but it’s never eliminated completely.
- Email and Device Security: Always follow security best practices to make sure you are not a victim of phishing or malware. Both techniques can be used to try to gain your master password. To address this, it is important to continue to educate yourself about cybersecurity. Start with Security Awareness Training, completed annually to ensure you’re always up to date.
To mitigate these risks, it’s important to use a reputable password manager with strong security features. You should also keep all software, applications and systems up to date. Make sure you use a unique, strong master password, and stay vigilant against Phishing attempts.
Need help choosing a password manager for your business, or implementing cybersecurity solutions? Reach out to us – ADNET helps organizations of all sizes improve their security.