The Covid-19 pandemic acted as a catalyst for most organizations around the world to turn to remote work, in some cases permanently, and the speed at which businesses had to enable remote access often meant sacrificing security. One of the biggest security challenges currently facing organizations with remote workforces is password management.
Hackers are finding ever-more-sophisticated ways to crack victims’ passwords. We now see a threat landscape comprised not only of relentless brute force attacks, which are programmed to guess passwords until they’re cracked, but also highly targeted social engineering attacks, which trick users into giving bad actors sensitive information such as login credentials. Unfortunately, a vulnerable remote worker using their “qwerty12345”-protected laptop is a prime target for both of these attacks. Because yes – “123456”, “password” and “qwerty” are consistently the most commonly used passwords across the globe.
Without the right security measures in place, working from home can be a huge enabler of password breaches and account compromise attacks. The reasoning behind this is simple: remote workers tend to use their personal devices for work. For some people, that means signing into Teams or Slack on their cell phone so that they receive notifications when they’re on their lunch break. For others, it means using their own laptop for absolutely everything. Generally, personal devices just aren’t as secure as those which are corporate issued, so a lot of organizations are putting their security in the hands of their employees’ smartphones. In fact, a recent study found that only 17% of remote workers in the US use devices owned and supplied by their employer.
When 80% of hacking breaches involve the use of stolen credentials (Verizon), it’s critical, now more than ever before, that you take steps to secure your employees’ business accounts with strong, encrypted passwords, no matter what device they’re working from. That might seem like a mammoth task, particularly if your employees are among those culprits who haven’t changed their password in more than six months. For the record, that’s 14% of remote workers in the US and a shocking 44% in EMEA countries. But it doesn’t have to be a mammoth task.
The solution? Enterprise password management.
What Is Enterprise Password Management?
Enterprise password management solutions help organizations protect their employees’ business accounts by enabling them to manage the access to these accounts. They do this by helping users to generate and securely store strong passwords, which they can synchronize across all of the devices they use for work – including personal tablets and smartphones. This protects the organization against hacking threats, whilst making it easy for end users to create and store a strong password for each of their accounts.
To provide this protection, password managers offer key features such as an encrypted vault to securely store and share passwords, and centralized administrative reporting and management capabilities.
How Does Enterprise Password Management Work?
All enterprise password managers have a secure password vault as their core technology. This vault, personal to each employee, stores your login credentials so that you can retrieve them more easily, without the need for unsecure sticky notes or a spreadsheet that you have to keep updating. The vault encrypts your database of passwords and secrets with a key called a master password: this is the only password that you need to remember, and you use it to sign in to your vault at the start of your session.
Once you’ve signed in, the manager automatically fills in web-based login forms using the credentials stored in your vault. If you come across a form that you haven’t created an account for yet, the password manager generates a random, complex password for your new account and automatically adds it to your vault. This means that you need only sign in to your vault once, and you’ll have easy, automatic access to all of your business accounts without having to remember any login details.
Enterprise password management solutions also feature robust management and reporting tools, which allow you as an IT admin to do two things. Firstly, you can configure password creation and sharing policies. Secondly, you can generate reports detailing how users are interacting with the platform and what your organization’s password security level looks like both overall and at a per-user level, so that you can make improvements where needed.
Why Does Your Business Need Password Management?
Before we can talk about the need for a password manager, we need to understand the threats to password security that organizations are facing every day. Without further ado, may I present to you five of the most common password attack methods:
- Brute force attacks are the easiest for hackers to perform, which is what makes them so popular. The hacker uses a computer program to keep guessing the password to a user’s account, starting with the most commonly use passwords and gradually working through all possible password combinations letter by letter until the hacker gains access to the account.
- Dictionary attacks work in a similar way to brute force attacks, except that they cycle through common words rather than by-letter combinations. Dictionary attack programs, again, start with the most common and basic passwords, including variations like swapping letters out for numbers, and work their way up through to more complex passwords.
- Social engineering attacks like spear-phishing involve the hacker masquerading as a trusted contact and sending their victim a targeted, personal email requesting their login credentials. In order for their message to seem more genuine, the attacker often trawls through their victim’s social media to find information about them and personalize each message.
- Spraying attacks work in the same way as brute force attacks, except that they target thousands of accounts at once (brute force attacks typically focus on one account at a time). The hacker uses a program to try their luck accessing a whole range of random accounts with a few commonly used passwords. This allows them to avoid account lockout policies and target multiple organizations at once.
- Pharming attacks, also known as “phishing without a lure”, involve the hacker installing malicious code onto their victim’s device. This code redirects the victim to a fraudulent website where they’re encouraged to enter sensitive information.
Attackers are constantly trying to find ways to steal corporate data, either to sell on the dark web or threaten the exposure of secrets unless the victim organization pays a ransom. Credential theft can be an easy way in, made even easier by a weak password culture.
According to a study from LastPass, the average employee has 191 passwords to manage. It’s no wonder, then, that we often end up reusing passwords or creating simple ones, prioritising ease to remember over security. Unfortunately, this makes those attacks we just talked about that much easier to carry out and much more effective. Think of it this way: a simple password will take less time to crack and, if you’re using it for multiple accounts, the hacker then has access to all of those, too.
This is where enterprise password management comes in.
A password manager makes it easer for employees to create and use unique, complex passwords that are harder for an attacker to crack, which increases your organization’s security. They also take away the burden of having to remember passwords for hundreds of accounts: each employee only needs to remember one master password to access their vault.
Finally, enterprise password management solutions show you, as an admin, how passwords are used, stored and shared across your organization. With this understanding, you can pinpoint areas of vulnerability and target support, training and policies to patch those weaknesses.
What Features Should You Look For In An Enterprise Password Management Solution?
There are a lot of password managers out there, and it’s important that you know what features to look out for when you’re comparing them. Of course, every organization will have a different business need, which means that they’ll all need a slightly different feature set, but there are some staple capabilities that everyone can benefit from. Here’s our list of key features that any organization needs in an enterprise password management solution:
1. Encrypted Password Vault.
The password vault itself is the core component of any password management solution. Here, your passwords are all safely encrypted and stored so that you don’t have to remember them. A particularly strong password vault will have the capability to generate secure, random passwords. It will also provide an indication as to the strength of your existing passwords and tell you if you need to update any of them.
When comparing vaults, it’s important to find out how you can import your existing passwords. Doing this manually for every account would be time consuming and could put off a lot of employees from using the platform, so you need to make sure that the solution allows you to import passwords directly from your browser.
You should also find out the level of encryption that the vault uses to protect each password. AES 256-bit encryption is widely considered the most secure, due to its open source nature.
2. Secure Password Sharing.
At work, it’s inevitable that you’re going to have to share passwords with other people, usually when there are multiple users accessing one account or license. Storing passwords in a shared Excel spreadsheet isn’t secure, and it can be very time consuming to keep the shared file up to date. Sending passwords via instant messaging apps like Slack or emailing them may be quick, but it’s even less secure. These methods of password sharing are also problematic in terms of account management: admins have no clear overview of which users hold passwords to which accounts.
Because of this, it’s important that password managers include secure password sharing functionality withing the vault. This is usually as simple as selecting the password, selecting the user you want to send it to, and clicking “Send”, but it can sometimes be a little more complicated with the need of admin approval. You might also want an option that allows you to restrict sharing to certain users, or groups of users.
3. Centralized Admin Console.
Any cybersecurity solution needs a central admin console with a user-friendly interface, and password managers are no exception to this. From the admin console, you should be ale to set granular policies around password management, including master password requirements, sharing permissions and restricting the number of times a user can attempt to login unsuccessfully before they’re blocked. You should also be able to revoke access to passwords.
Another important consideration of the admin console is its reporting capabilities. You need to be able to generate reports on how users are interacting with the solution, how well it’s operating and whether the manager is detecting any security risks in terms of password health. You might also need functionality to generate reports for compliance – these could include analysis of admin activities.
4. Simple Deployment And Easy Integration.
A lot of people tend to overlook this feature in favor of examining the technology behind a solution but, if you can’t deploy it, that technology is rendered useless. There are a few things to consider when it comes to deployment.
Firstly, do your IT teams have the resources necessary to roll the product out? If you’re an SMB with a small IT team, you might want to choose a solution that’s simple to deploy and doesn’t require a lot of technical resource or know-how to do so. If you’re a larger enterprise, you might be willing to accept a more technically complex deployment in return for the promise of a solution that’s highly customizable.
Secondly, you need to make sure that the password manager is easy for your employees to set up. To do that, you should ask of the solution these questions: Can you send out a simple enrolment email? How do employees create an account? Is there a mobile app they can install? Is there a browser extension they can install?
5. Efficient Customer Support.
All solutions come with potential teething problems and challenges, whether in terms of deployment, technology or (touch wood) in the case of an actual attack that you need to resolve. When these things happen, you need to be able to contact your vendor for support. Even more importantly, you need to be able to count of the fact that they’ll respond quickly and actually offer that support.
Most cybersecurity vendors offer support via online help pages or forums and via email, but sometimes the quickest way to solve your problem can be by speaking to someone directly. It’s important that you can access support via live chat or a phone line.
Finally, check that the support is available seven days a week and out of your office hours – cybercriminals don’t always work 9-5.
Traditional password protocols aren’t strong enough to secure your organization against the most advanced cyberattacks. On top of that, it can be a nightmare to try and manually manage all of the account credentials linked to your business domain – if each employee you manage has around 191 passwords, that quickly adds up to an awful lot of data to track. And every one of those passwords has the potential to open the door and invite a hacker into your organization’s databases.
A strong enterprise password management solution takes all the worry and hassle out of managing credentials, both for employees and admins, it ensures that your employees are using strong passwords, and it places a secure layer of encryption between each employee account and the cybercriminal trying to gain access to that account.
So, really, the question isn’t, “Do I need a password manager?” – rather, it’s, “Which password manager do I need?” To help you get started on the path to answering this question, we’ve put together a guide to the top ten password managers for business, including information on each solution’s vendor and main features, as well as a recommendation in terms of for whom the solution is best suited.
Don’t let “Password1” be your downfall.