What to look for in a password manager?
Username and password are by far the most frequently used authentication method, even in today’s world. With the advance of digitization in companies, the number of accesses and thus the number of applications and often the number of passwords per employee is increasing. A study conducted by the company LogMeIn in 2019 found that employees in German SMEs have to manage between 30 and 100 passwords.
Due to this large amount, people are often tempted to use passwords multiple times or to use “simple” passwords – this often allows criminals to gain unauthorized access to multiple systems.
With these challenges, a modern password manager can help employees manage the large number of passwords they have and at the same time reduce risks to the company from credential theft.
Requirements for a password manager
Since all important user accesses are managed within a password manager, the security of the password manager and the access data secured there has the highest priority.
However, in second place and no less important is usability because only through simple integration into the daily work routine the acceptance of the users of such a solution can be guaranteed. Otherwise, if it is too complex to use, there is a risk that people will revert to the old solutions, such as simple passwords, reuse, and post-it on the screen.
Usability of password managers
A password manager can ensure that it is used at many points through ease of use and proactive support for the user.
Browser plug-ins that recognize registration fields and directly offer to create a secure password for this website can encourage users to create secure passwords and store them directly in the password manager.
The use of biometric authentication methods for the password manager on the device helps users to quickly access their passwords at any time. For security reasons, the password manager encrypts the data in RAM again at regular intervals after the user logs in.
The password manager should also have a mobile client so that it can also be used on smartphones and tablets.
Security of a password manager
General information about security
Major providers of password managers provide basic security features. A central point of the security concept is that the passwords are encrypted at the provider’s site, while the key is stored locally in the user’s device. This ensures that neither the provider nor possible attackers of the provider can gain access to the passwords stored there in plain text.
The way in which this is implemented varies slightly from one password manager provider to another.
Setting up the emergency mechanisms
At the same time, this also means that in the event that the user forgets his password, there is no possibility of recovery by the provider. At this point, in turn, the manufacturers offer different options. It is important that regulations exist for these emergency mechanisms to ensure that they are set up by the user in the first place and that they are designed in such a way that attackers cannot gain access to the password manager via this route.
Likewise, almost all password manager providers offer the option of setting up an emergency mechanism for companies to access employee passwords. It is important to check beforehand how this can be implemented in the concretely chosen solution in order to be able to gain access to the passwords in an emergency. At the same time, it must be ensured that administrators cannot gain uncontrolled access, but processes must ensure that at least 2 people are always involved in establishing such access. The data protection officer should also be consulted on this topic.
Secure authentication with password managers
All password manager providers offer the option of specifying minimum technical requirements for the master password – it is essential to make use of this.
2-factor authentication should always be set up for the password manager – preferably using the TOTP or hardware token functions.
Basic configuration suggestions for password managers
In the area of rights and role concepts, there are currently some differences between the major providers. Not every provider offers the option of enabling complex distribution of rights and roles – this is particularly important if many people in the company use a password manager is very different working environments. Likewise, this becomes more and more important as the number of users increases, since in these cases the administration of individual areas is often also carried out locally and the application should offer the possibility of assigning graded administration rights.
Many password managers also offer the option of setting up alerts that send warning messages when certain events occur. Monitoring of incorrect login attempts should always be possible and should be carried out.
Reporting can be rounded off with regular reports on the security of the passwords stored in the password manager.
Different admin accounts with different authorizations should also be set up for the administration if this is possible. If possible, the basic configuration of password managers should be set up using a super admin account, which is subsequently not used for regular operation – access should only be possible based on the dual control principle.
This ensures that important features, such as logging, cannot simply be switched off.
Often, some of the previously mentioned functions are not fully available in the standard business version, but the purchase of enterprise licenses is required. This should also be taken into account when selecting a provider.
If a password manager is used, some organizational framework conditions must nevertheless be clarified in addition to the technical measures.
As with any application, the employee should be supported in using the password manager as intended in the form of written instructions and notes and, if necessary, through training.
It should also be clearly defined who needs rights to which vaults and who is authorized to release such requests.
Even if it is helpful to use the password manager on several devices, it must be clarified in principle whether installation on private devices is permissible, because this again involves security risks that must be addressed.
Similarly, in the offboarding process of an employee or in the event of successful Phishing or Social Engineering Attack, it must be ensured that access rights to the password manager and 2-FA tokens are revoked again.
In addition, always remember that even employees who have left the company generally have the option of writing down and continuing to use passwords before leaving the password manager. Thus, a password manager does not replace 2-factor authentication for critical systems or other security measures.
Likewise, it means that the use of accounts by multiple people should generally be avoided.
A password manager can make a very big contribution to helping companies use passwords securely and at the same time make employees’ day-to-day work easier. Nevertheless, an introduction should be well considered and planned so that these goals can also be achieved.