Strong passwords are the linchpin of any company’s cyber security strategy. IT teams around the world have put in place policies surrounding password security and especially password strength.
With numerous high-profile social media data breaches over the years, password reuse has become a significant issue. Many people use the same password for their personal and work accounts, so another company’s poor security can quickly become your problem.
Even with strong passwords, your organization can still be at risk of breaches because of passwords being reused across accounts and websites. In 2019, Microsoft compared their password databases with breached credential databases and found 44 million accounts that were reusing passwords. Microsoft then forced a password reset on all these users.
The best way to ensure users can remember and manage all their strong passwords across their tech ecosystem is to use a password manager. This blog post will walk you through the basic concepts of password managers and look at the most popular options.
What Is A Password Manager?
Password managers are applications that remember passwords and usernames for the various sites and software you use. The best ones take it a step further and generate strong, randomized passwords for all your accounts. Most popular options also have browser extensions that automatically fill in your username and password when you visit a corresponding URL. Other advanced features include scanning the Dark Web for compromised credentials that cyber criminals have published.
What Types Of Attacks Does A Password Manager Prevent?
Password managers are not only a more convenient way to remember all the passwords you have to enter during a typical workday, they actually help in prevent three types of common password attacks:
Credential stuffing
This type of attack relies on the fact that most people reuse their passwords by testing passwords obtained through data breaches on various accounts tied to that email address. The best protection against these attacks is a password manager that allows you to manage a unique password for each account to ensure that only one account is compromised in the instance of a breach.
Dictionary attacks
This type of brute force attack cycles through every letter and number possibility until the account is cracked. This type of attack becomes even faster and easier to achieve if the password is a series of numbers or a common word. A password manager allows you to easily maintain and use strong randomized passwords with letters, numbers, and special characters and easily thwart these attacks.
Social engineering
In a 2019 study, Google found that 59% of respondents had used personal information in their password, such as a pet’s name. This habit makes hackers’ work very easy since this information can easily be found on social media, often without interacting with the user. A good password manager will warn you when selecting weak passwords, and the graphical feedback will encourage you and notify you once you have selected a strong password.
The Rise Of Password Managers
Password managers have grown in popularity over the years and are now even available on mobile devices. Yet, a recent survey found that 65% of Americans do not trust password managers. There have been several misconceptions surrounding these applications, but they are undeniably the safest option for handling passwords.
The main fear surrounding password managers is a simple one: The password manager could get hacked, and criminals would then have access to all your information.
However, that fear is unfounded for several reasons. Popular password managers use AES-256 encryption, which experts estimate would take 6.4 quadrillion years to break using typical brute force hacks.
Additionally, password manager companies use a technique called zero knowledge. The gist of zero knowledge is that your encrypted password file, master password, and security key are never kept on the same server. Hackers would have to successfully break through these three layers of security to access information.
LastPass, a leading password manager, actually had one security breach in its existence in 2015. Still, hackers could only access user’s email addresses but no passwords or sensitive information because of their use of zero knowledge technique.
The market of password managers is divided into two categories, separate applications, and integrated features. Both operate in a similar fashion, but it’s essential to understand them both to make the right choice.
The first three choices listed below have been rated as the best options by PC Mag.
Keeper
Keeper is one of the password manager industry’s most respected options for a reason. Though the free version will be limiting for some users, the core functionality is there in spades, including two-factor authentication, secure password sharing, and an option to store critical files and messages.
Keeper’s biggest strength lies in the design and cross-functionality of both its apps, which are available across multiple devices and operating systems, and browser extensions. These capabilities ensure you can easily create or save passwords in just a couple of clicks or taps, in addition to filling out web forms on oft-frequented sites.
Dashlane
Dashlane is another veteran in this category and continues to make strides in providing users with a full-stack password management solution. It offers all the essential tools and features you’d expect, keeping it in step with Keeper and Lastpass. VPN protection and Dark Web scanning are unique features that may entice pro-level customers.
There are, however, a couple of minor drawbacks. Dashlane users can only sync their password information across all their devices through the premium pricing tier, which is more expensive than the competition. Some users have also reported issues with multipage login functionality. Overall, though, it remains a powerful option for password management.
Lastpass
One of the first companies to launch and popularize password managers, Lastpass has a robust set of features. It has a straightforward interface that allows users to classify passwords in categories and even save other documents such as driver’s licenses securely.
Lastpass has desktop and mobile versions, and while the free version is full-featured, it truly shines when it comes to its business and enterprise versions. Its admin console allows you to put security policies, audit password strength for your entire organization, and manage multi-factor authentication for the entire company.
1Password
1Password is the other major player in the password manager industry, and while it has a different interface, it has many similarities to LastPass. 1Password’s reporting and integrations are more advanced and offer very robust password strength test features.
1Password also has several partnerships with mobile apps to directly integrate its features in the app to allow users to log in directly when using their smartphones.
Browser password managers
If you use Google Chrome or Microsoft Edge, you’ve seen the prompts to save your password to the browser whenever you log in to a website. While this might be convenient, the main issue is that it isn’t really a password manager.
Browsers don’t require a master password before accessing all your passwords. As soon as you open a browser window, all sites you visit log you in automatically. Additionally, browsers may not have an admin interface to oversee user passwords and assess their strength as password managers do.
Apple Keychain
Apple’s Keychain application is similar to a browser’s password manager but works offline and on mobile. It’s not tied to a browser and can be used to log in to desktop software as well. It also doesn’t require a master password to access passwords, only the computer’s login or smartphone PIN.
Its admin capabilities are minimal and most likely wouldn’t be suitable for most organizations. It does, however, offer solid randomized passwords for newly created entries and logins.
Using Password Managers Correctly
Password managers are a crucial aspect of a well-rounded security policy, but they need to be used correctly to reach their full potential. Here are a few best practices surrounding password managers:
1. Randomize your passwords
The real strength of password managers is not as a storage solution but in creating strong passwords for all your logins. Ensure your users leveraging the password creation tool to select strong and randomized passwords unique to each account.
2. Two-factor authentication
Most password managers have various options for two-factor authentication, from SMS to separate authenticator apps. While this is an extra step that might be tedious to your users, it dramatically increases security.
3. Run Tests
Another common admin feature of enterprise password managers is a test feature that allows you to see if your users’ passwords are strong and if they’re being reused. It’s a good idea to run this test monthly to catch any vulnerabilities.
4. Shared passwords
In an IT environment, where many users require access to a shared or generic account, password managers can also be used to safely share passwords with those who have permission to use them.
Recap
Password managers have grown from a convenient option to an essential portion of a company’s cyber security policy. All your company’s passwords should be managed within this type of software, and ideally, you should encourage your users to utilize one for their personal and family accounts.
Password reuse is a significant threat with a straightforward solution. Maintaining good password hygiene used to be a hassle to manage, without an easy way to monitor your users’ password strength.
Implementing a password manager will not only save you time and improve your security, but your users will also soon realize it’s a valuable tool to manage their logins and keep strong passwords at all times.
Protecting your data with a Strong Password Kit
Download this Kit for more password resources that you can share with users.