On both the individual and enterprise levels, password management software has become a no-brainer with the rise of cloud-based applications and the number of passwords for which each user is responsible. As IT security consultants, we at KINETIC IT consider it a necessity for every organization.
What is a password manager?
Password managers are tools that allow you to store all of your passwords securely by keeping your info in a central, secure vault. Thus, you can use truly random combinations in all of your passwords, making them much harder for malicious users or bots to crack, and only remember one password – the one for your password keeper.
On the enterprise level, a password manager forces users to have strong passwords, creates a schedule to determine when passwords have to change, and includes an admin console to control passwords and key services within the company. They work across multiple operating systems and on mobile devices. Password keepers can also do more than store passwords securely, they also allow for multi-factor authentication, which is an important security strategy as we pointed out in our previous blog post.
In addition to the features mentioned above, there are many other benefits to implementing a password manager.
What are the benefits?
Password managers allows your organization to improve operational efficiency and productivity. They enable your teams to frequently change passwords and manage passwords across multiple platforms, license keys, and documents while having uninterrupted access to passwords and recovering lost passwords quickly. They also empower users to strengthen security by storing encrypted passwords, controlling employee password access, tracking and auditing password usage, eliminating hard-coding of passwords, enforcing your password policies, and ensuring compliance.
Additionally, password keepers allow you to exercise centralized control, storing passwords in a centralized secure vault, resetting passwords remotely, generating reports and tracking password status anywhere using a web interface.
Which manager should I use?
Our experts typically recommend LastPass for your password manager – we even use it ourselves! LastPass can protect your data with many different kinds of two-factor authentication. This is important, because according to Neil RubenKing at PCMag, “when you enable multifactor authentication, a hacker who guesses or steals your master password won’t be able to log in.” Another key benefit is that LastPass encrypts your data in a way that even the folks at LastPass can’t see, meaning that the company would be physically unable to hand your passwords over to the NSA or anyone else. Additionally, LastPass supports unusual browsers (like Dolphin on mobile devices), and can warn end users about weak passwords. The enterprise version manages employee on-boarding and off-boarding, generates a security “score” for your company, and supports policies like restricting access to a specific mobile device platform.
Should I be concerned about security?
There is, of course, a downside to a password manager: the vault is protected by a password of its own. Thus, the master password must be remembered and stored in a more traditional way, and if a crook gets a hold of your master password, then s/he may as well have gotten the crown jewels. The crook has access to all of your accounts at once.
Along these lines, LastPass has admittedly been breached in the past. That being said, in the case of malicious breaches, the hackers were not able to get any useful information. In the most recent (and significant) breach, the hackers were in fact “do-gooders” who alerted LastPass to weaknesses in order to help the company improve its code for increased customer protection in the future.
Therefore, in our opinion, password managers are still net positive for both enterprises and individuals. They are far more secure than using the same password over and over.
Ultimately, unless you’re going to write your passwords down manually and physically guard them, you’re going to deal with an element of digital vulnerability. In that case, a password manager wins hands-down in a classic lesser-of-two-evils situation.