Should Your Business Use A Password Manager
Password security is a major issue that no business or enterprise can ignore. Countless hacking attempts succeed due to inadequate password security. However, remembering all those strong and (hopefully) unique passwords can be tedious, to say the least. Are password managers an alternative? Let’s take a look.
The trouble with password security
Verizon’s 2017 Data Breach Investigations Report found that 81% of breaches related to hacks were the result of stolen or easily compromised passwords. A password acts as a key to online services and enterprise data.
Primarily, a simple password is easy for a malicious actor to guess via brute force and to gain unauthorised access. Most services, therefore, demand a complex password. Memorising a single complex password is not a problem on its own.
Furthermore, once a password (complex, or not) has been illegally captured, it is often tested against other services. If the same password is used with multiple services, hackers can gain access to all those services. So, in addition to complex passwords, we also need unique passwords. Here’s the rub: it is impossible to remember several complex and unique passwords across multiple services. Clearly, businesses need a solution.
Single Sign On (SSO) vs. password managers
Before we take a closer look at the enterprise-readiness of password managers, we need to consider single sign-on, or SSO. Organisations can use SSO to do away with passwords to a large degree, as SSO requires the user to remember just one set of credentials. By using Active Directory or SAML, users are automatically given access to the services for which they have permission.
Is SSO the solution to our password conundrum? Only up to a point. While single sign-on is effective where it is supported, SAML is only supported by a small minority of business applications. Likewise, solutions such as Azure Active Directory SSO are effective, but these offer a limited number of supported applications.
Use SSO alone and your employees will still need to juggle plenty of unique passwords – or simply use the same password for multiple services. What’s more, SSO does not protect an employee’s personal accounts. Here, a strong enterprise password manager can do the trick.
Password managers have grown up
It is easy to reject password managers for business and enterprise use out of hand. For years password managers such as LastPass did an excellent job of facilitating password management for individuals who wanted to use strong and unique passwords for every service that they access.
Be that as it may, consumer products rarely fit well into the business environment and password managers had weaknesses that did not fit into an enterprise scenario. Managing large numbers of users was problematic, while revoking user rights once these rights were granted, was not easy.
The companies behind popular password managers inevitably noticed a market gap - the provision of enterprise-grade password management tools to businesses and enterprises, that could withstand determined attackers while possessing the necessary management tools. But are these business-grade password managers worth their salt?
Benefits of enterprise password managers
Numerous enterprise password managers are now available, from grown-up personal password managers through to offerings that were built for businesses from the ground up. The benefits are notable:
- Password hygiene. Password managers assist users to choose safe passwords that are unique. While IT managers can encourage users to practice password hygiene, an on-screen reminder, plus automatic check for duplication, is simply far more effective.
- Credentials management. A good enterprise password manager will include sophisticated ways to manage credentials. This would include user-level access to individual applications and the ability to automatically grant access to an application across the enterprise. Enterprise password managers also enable you to instantly block all access rights for a user, even if the user chose their own passwords.
- All applications are covered. With the profusion of cloud applications, it is difficult to segregate company data, and it is highly possible that some data will end up in the shadow cloud - in other words, on cloud storage outside enterprise control. A password manager encourages the type of behaviour that ensures all applications are protected with solid passwords, including the shadow cloud.
Where password managers can prove a hassle
There are, of course, drawbacks to using password managers. Some enterprise applications will require SSO and simply won’t integrate with a password manager. In this case, your business can choose to use a mix of SSO and password managers, ensuring that you capture login details that are effectively off the enterprise grid.
However, the nature of password managers means that administrators do not have the same levels of control over the underlying applications, with a lack of usage and access monitoring a possible concern.
A useful tool in the security mix
It is difficult for a business to fully control data and access rights. One road to comprehensive control is the use of multiple tools. Here, an enterprise password manager can play a role. By providing an alternative to re-used passwords, text files, and spreadsheets your business can add an additional layer of safety.