Traditional password practices are broken. One recent study found that the average business user has nearly 200 unique passwords — a number that strains the limits of human memory and encourages a range of risky password practices. That’s why organizations should strongly consider adopting password management technology.
Password managers, or password wallets, allow users to create and store unique passwords for all their accounts. Most work by encrypting a list of passwords with a single master password that only the user knows. The best also include a built-in password generator that ensures passwords are complex, difficult to guess and changed frequently.
Such solutions are overdue in most organizations. Former Homeland Security chief Michael Chertoff says current password practices are “by far” the weakest link in IT security, and the statistics back him up. Eighty-one percent of all confirmed data breaches involve weak, default or stolen passwords, according to Verizon’s 2017 Data Breach Investigations Report.
Unfortunately, there’s no sign that understanding the danger changes user behavior. For seven years running, “123456” and “password” have ranked as the most commonly used passwords in an annual study by SplashData. Today’s brute-force cracking software and hardware can obtain those passwords in seconds.
Other common but risky user behaviors include writing passwords on sticky notes or in a notepad, or saving them in email, Word documents and spreadsheets. Password reuse is another problem. An attacker who gets your credentials for one site or service will try to use them on your corporate network, email, banking site or other high-value targets.
There are a variety of password managers available, ranging from low-cost and even free consumer-grade solutions to enterprise-grade solutions with more robust features. They can come in the form of installed software, locally accessed hardware or as online services accessed via web portals. They are all fairly easy to use.
Most free password managers come with some restrictions, such as limitations on the number of passwords that can be stored, the amount of encrypted file storage available and the number of devices that can be used. These tools are most suitable for individual users rather than company-wide deployment.
The professional editions offer more robust features, including AES-256 encryption, salted hashing, two-factor authentication and a random password generator. Some managers offer additional features such as alerting when one of your sites or services has been breached, priority customer service and the ability to change your old passwords automatically on certain sites.
Multi-device syncing is one of the most useful features offered in professional editions. This allows you to use a single account across office and personal desktop computers, laptops, tablets and smartphones. Any password changes are synchronized to all of your linked accounts in real time, reducing the time and trouble of submitting help desk reset requests.
Shared access to credentials is another important feature for organizations that allow multiple employees to access online services through company accounts. For example, organizations often set up user groups for cloud services such as Office 365, Salesforce or Webex. A password manager with shared credentials ensures that everyone is kept up to date about password changes.
Passwords have long been an essential security tool, but password overload is limiting their effectiveness. Users are being asked to adopt more and more complex passwords, avoid reusing them and change them frequently. Password managers can relieve users of much of this responsibility and deliver a more sophisticated and practical solution.
