Password management is a common challenge businesses in any industry face. A shocking number of businesses still rely on paper-based logbooks or unsecured spreadsheets to manage their privileged account credentials. According to Forrester (a leader in business technology research and advisory) estimates that 80% of data breaches involve privileged credentials which means organizations must make password protection a top priority in their security strategies.
Selecting the Right Tool
Simply remembering passwords for the numerous accounts we all access on a daily basis (both personally and professionally) can be problematic. Any responsible password management policy would make it impossible to recall individual credentials, as passwords should be complex (mixture of characters, numbers, and symbols). In an effort to simplify the number of passwords required, many users end up just reusing the same complex password for numerous accounts; defeating the purpose of having a secure, unique password in the fist place.
Privileged accounts are an easy target for hackers or even disgruntled employees when poor security and management processes exist. As a component of your overall security strategy, the following password manager tools can be utilized:
KeePass Password Safe
An open-sourced, fully encrypted database that is locked with one master key meant to contain a single user’s credentials. KeePass will store usernames, passwords, as well as free form notes.
- Strong security and password generator protects against guessing attacks and key loggers.
- KeePass can be installed on Windows for desktop access and saved to USB stick to easily transfer between computers.
- Free software means no annual renewal fees.
Pleasant Password Server
A multi-user password management tool compatible with KeePass Password Safe. Ideal for large enterprises and small businesses that are not comfortable storing information in the cloud. The tool must be deployed on your in-house infrastructure.
- With universal Single Sign on (SSO), your employees have access to enterprise passwords without ever having to see the passwords.
- Available for a variety of devices and operating systems.
- Define hierarchical user roles, security groups, and centralize policies.
- Has backup and disaster recover restore capabilities
LastPass Password Manager
LastPass is a cloud-based desktop application installed on your workstation in conjunction with an internet browser extension. You’ll only have to remember one secure master password in order to log in to LastPass and then all your other passwords will be stored in the manager.
- Safely store unique passwords with a personal “vault” for every user and unlimited share folders for company shared accounts (marketing accounts, social media accounts, etc.).
- Access on all devices (mobile, tablets, etc.), no server infrastructure required.
- Includes a complex password generator so users aren’t expected to make up passwords on their own. Multi-factor authentication available, if desired
- Credentials can be shared with users external to your organization, and can be done so without disclosing the actual password.
Things to Consider
With the theft of over 4.2 billion credentials in 2016 alone, there should be no doubt that your business needs to have a strict password management policy in place. The balance of implementing enough security to achieve its purpose without hindering work efficiency can be challenging but with the right management technology in place it is possible.
Ensure your password policy addresses the following:
- Complexity and Uniqueness. Highly sensitive accounts (banking, medical databases, client contact information, etc.) should be protected by unique passwords–meaning the password is used exclusively for one account and is not repeated in other login credentials. The unique password should be at least 20 characters in length, and contain a combination of upper/lower case letters, numbers and symbols.
- Access Management. Periodic reviews and an audit trail should be in place to ensure access is granted appropriately and only as needed. As staff turnover occurs, management is needed to ensure passwords are reset or accounts disabled.
- Password Managers. Password managers are only as secure as the vendor, and only as secure as the master password set (think two-factor authentication). Since password managers obviously store critical, highly valuable credentials, organizations must recognize that they are a target for attacks. Be sure that the password manager deployed is updated, secured and reviewed for security patches. Be certain that login credentials that are stored in the manger are up to date, and that the manager is included in disaster recovery backup plans.
- Password Reset and Password Sync. To allow for the best experience for users and ultimately ensure security, passwords should require a reset every 6 months to a year. More often than that, and it has been shown to actually reduce security levels as users end up reusing and simplifying passwords. Passwords can be synced across linked network systems and accounts to reduce the number of passwords required.
While password management, policies and tools selected will vary depending upon your network and end user requirements, properly storing and maintaining appropriate security levels is a basic level of standard your customers, clients and/or partners are sure to expect of your organization. End user training sessions like the ones Compulite provides are vital to ensure that security best practices are in place and are followed within all levels of your organization.