The Importance of Password Managers

By:  Hart Johnson, MSCSIA, CEH, CHFI

In our previous blog article, Cyber Security Part 1: Account Security, we talked about the importance of securing your user accounts.  As a quick review, we provided four quick tips to help secure your user accounts:

  1. Use a unique password per service 
  2. Create a complex and long password
  3. Use a password manager
  4. Enable multi-factor authentication (MFA)

In this post, we will specifically focus on the use of password managers and why they are so crucial to a successful account security program.

What is a password manager?

To put it as simply as possible, a password manager is a storage system for all of your passwords, for your various user accounts. These come in all shapes and sizes. Some are cloud based, some are locally stored, and some are built into your web browser. Which one you choose, really depends on your threat model and unique needs. We are mainly going to focus on cloud based, enterprise/business level password managers in this article.

How does a password manager help?

As stated in our previous article, you should be using a unique and complex password for each service. So with those ground-rules, how are you supposed to remember long, complex and unique passwords for each service you have? The answer for most, is they don’t! Even when a platform, such as OptimisPT, has strict password requirements, most users will pick one password that meets the bare minimum requirements and use that across all of their services. The issue with that, is if one of your accounts is breached somehow, they all are at that point. Plus, do you remember each account you have ever setup with that password? Do you remember which accounts might just use a variation of that password? Did you know that based on a study from NordPass, the average person has around 100 different accounts they login to? This is exacerbated by the current COVID pandemic we are facing, with more people working from home, needing access to different systems, etc.

So what typically happens in these scenarios? Well the vast majority of people will simply use the same password across multiple services. So how do we stop that? With a password manager! The password manager stores all of your login credentials, fills them in automatically for you on the appropriate site, all while needing you to only remember ONE strong password to login to the manager itself. In doing so, you can make each password unique, long, and complex (most password managers have a password generator that takes care of this for you). No more remembering passwords, no more forgetting what accounts you already have, just one password to have access to everything you need. One password to rule them all, one password to find them (you get where I am going with this).

So isn’t that less secure? All of my passwords in one place sounds like a bad idea!

I like where your head’s at! I would agree with that statement, if you were keeping all of your passwords in a spreadsheet on your computer or in your cloud provider. However, these big enterprise/business grade password managers are in a completely different league. Their business is security. Add Multi Factor Authentication on top of using a strong password for your “vault” makes it even better! What you don’t want, is to choose some fly-by-night password manager that hasn’t been properly vetted or assessed. I typically recommend doing your due diligence and making sure that it is a properly vetted and tested platform, as well as understanding the feature set it offers at each level. Going open-source, is even better in most cases, since that code is constantly under scrutiny and you can see what is under the hood.

Now, if you use a weak password for your vault and don’t turn on multi-factor authentication, sure it probably isn’t great, because if that vault is breached, all of your passwords are. But that really depends on your threat model, and what other protections you have in place. Am I saying that a tried and tested commercial password manager is impenetrable or “un-hackable”? No, in reality, anything connected to the internet has the potential to be breached, with enough time and resources. With that said, the threat model makes that unlikely, and the implementation of the organization (meaning the password managers) security policies and procedures will make or break that.

So how does a typical password manager work?

Most of the modern password managers have an app/browser extension, that automatically saves and fills in your passwords as you need them. The nice thing about this, is the first time you login to a platform, it can save the password for you, and then from that point, it will fill in the form every time you visit that page. Most also can generate a password for you that is long, complex, and unique when you are signing up for a new service. After a bit of training of your users, it becomes second nature, and they probably won’t be able to imagine a time they didn’t have it.

A feature that isn’t as widely talked about, is also how this ties into phishing. If you let your password manager do its work, it will detect that the URL you are visiting doesn’t match the saved URL in your password manager. Most won’t show you the results then, so it might be an early warning indication that you are not on the legitimate login page of the service!

Ok, you convinced me, which one should I use?

Another fantastic question! While I don’t feel this article is the place for recommendations, I will give you these questions you need to ask yourself that are specific to your organization:

  1. What is your budget?
    • Most password managers are a per user license fee. Do you have the budget to support that? 
  2. What are the features you need for your organization?
    • Do you want to implement password policies and controls? You will probably need the enterprise plan for most of these.
  3. Who is going to manage this?
    • Do you have someone capable in the IT world to help with this rollout? Do you feel comfortable managing this? Each one has its own set of responsibilities and features that make management different.
  4. Would you be comfortable trusting the password manager in your browser? 
    • Most modern browsers have a built in password manager. The feature set is largely limited and can have some caveats to user control and access that need to be taken into account.

I would highly recommend that you look into several different password managers and compare the feature set.

One last “push” towards a password manager, take a look at this infographic on the cost of a data breach. These are scary numbers, so the investment you make in your password manager could be a differentiating factor in your organization’s security program.