ProSec GmbH

+49 261 45093090

  • About us
  • Services
    • Detection services
      • Classic penetration testing
      • Pentest as a service
      • Web application pentest
      • Vulnerability analysis
      • Red teaming
    • Solution services
      • IT security consulting
      • Data protection
        • GDPR
    • Education services
      • User awareness
      • Trainings
        • Junior penetration tester
        • Penetration tester web
        • Penetration tester network
  • Wiki
  • Jobs
  • Contact

Use password manager in the company

A password manager on a laptop

What to look for in a password manager?

Username and password are by far the most frequently used authentication method, even in today’s world. With the advance of digitization in companies, the number of accesses and thus the number of applications and often the number of passwords per employee is increasing. A study conducted by the company LogMeIn in 2019 found that employees in German SMEs have to manage between 30 and 100 passwords.

Due to this large amount, people are often tempted to use passwords multiple times or to use “simple” passwords – this often allows criminals to gain unauthorized access to multiple systems.

With these challenges, a modern password manager can help employees manage the large number of passwords they have and at the same time reduce risks to the company from credential theft.

Requirements for a password manager

Since all important user accesses are managed within a password manager, the security of the password manager and the access data secured there has the highest priority.

However, in second place and no less important is usability because only through simple integration into the daily work routine the acceptance of the users of such a solution can be guaranteed. Otherwise, if it is too complex to use, there is a risk that people will revert to the old solutions, such as simple passwords, reuse, and post-it on the screen.

Usability of password managers

A password manager can ensure that it is used at many points through ease of use and proactive support for the user.

Browser plug-ins that recognize registration fields and directly offer to create a secure password for this website can encourage users to create secure passwords and store them directly in the password manager.

The use of biometric authentication methods for the password manager on the device helps users to quickly access their passwords at any time. For security reasons, the password manager encrypts the data in RAM again at regular intervals after the user logs in.

The password manager should also have a mobile client so that it can also be used on smartphones and tablets.

Security of a password manager

General information about security

Major providers of password managers provide basic security features. A central point of the security concept is that the passwords are encrypted at the provider’s site, while the key is stored locally in the user’s device. This ensures that neither the provider nor possible attackers of the provider can gain access to the passwords stored there in plain text.

The way in which this is implemented varies slightly from one password manager provider to another.

Setting up the emergency mechanisms

At the same time, this also means that in the event that the user forgets his password, there is no possibility of recovery by the provider. At this point, in turn, the manufacturers offer different options. It is important that regulations exist for these emergency mechanisms to ensure that they are set up by the user in the first place and that they are designed in such a way that attackers cannot gain access to the password manager via this route.

Likewise, almost all password manager providers offer the option of setting up an emergency mechanism for companies to access employee passwords. It is important to check beforehand how this can be implemented in the concretely chosen solution in order to be able to gain access to the passwords in an emergency. At the same time, it must be ensured that administrators cannot gain uncontrolled access, but processes must ensure that at least 2 people are always involved in establishing such access. The data protection officer should also be consulted on this topic.

Secure authentication with password managers

All password manager providers offer the option of specifying minimum technical requirements for the master password – it is essential to make use of this.

2-factor authentication should always be set up for the password manager – preferably using the TOTP or hardware token functions.

Do you want to minimize the human IT vulnerability?

Find out more about our user awareness training courses now

Find out now!

Basic configuration suggestions for password managers

In the area of rights and role concepts, there are currently some differences between the major providers. Not every provider offers the option of enabling complex distribution of rights and roles – this is particularly important if many people in the company use a password manager is very different working environments. Likewise, this becomes more and more important as the number of users increases, since in these cases the administration of individual areas is often also carried out locally and the application should offer the possibility of assigning graded administration rights.

Many password managers also offer the option of setting up alerts that send warning messages when certain events occur. Monitoring of incorrect login attempts should always be possible and should be carried out.

Reporting can be rounded off with regular reports on the security of the passwords stored in the password manager.

Different admin accounts with different authorizations should also be set up for the administration if this is possible. If possible, the basic configuration of password managers should be set up using a super admin account, which is subsequently not used for regular operation – access should only be possible based on the dual control principle.

This ensures that important features, such as logging, cannot simply be switched off.

Often, some of the previously mentioned functions are not fully available in the standard business version, but the purchase of enterprise licenses is required. This should also be taken into account when selecting a provider.

Organization

General

If a password manager is used, some organizational framework conditions must nevertheless be clarified in addition to the technical measures.

As with any application, the employee should be supported in using the password manager as intended in the form of written instructions and notes and, if necessary, through training.

It should also be clearly defined who needs rights to which vaults and who is authorized to release such requests.

Even if it is helpful to use the password manager on several devices, it must be clarified in principle whether installation on private devices is permissible, because this again involves security risks that must be addressed.

Bild des stellvertretenden Geschäftsführers Immanuel Bär

Are you interested in a vulnerability analysis?

Then give us a call or use our form. We are looking forward.

Inquire now

Employee offboarding

Similarly, in the offboarding process of an employee or in the event of successful Phishing or Social Engineering Attack, it must be ensured that access rights to the password manager and 2-FA tokens are revoked again.

In addition, always remember that even employees who have left the company generally have the option of writing down and continuing to use passwords before leaving the password manager. Thus, a password manager does not replace 2-factor authentication for critical systems or other security measures.

Likewise, it means that the use of accounts by multiple people should generally be avoided.

A password manager can make a very big contribution to helping companies use passwords securely and at the same time make employees’ day-to-day work easier. Nevertheless, an introduction should be well considered and planned so that these goals can also be achieved.

Zuletzt aktualisiert am May 18, 2021

OUR LOCATIONS

  • Headquarters:
  • ProSec GmbH
  • Robert-Koch-Straße 1-9,
    D-56751 Polch, Germany

  • Berlin office:
  • ProSec GmbH
  • Friedrichstr. 123,
    D-10117 Berlin, Germany

 

  • Munich office:
  • ProSec GmbH
  • Franz-Joseph-Str. 11,
    D-80801 München, Germany

TOP-SERVICES

  • Penetration testing

  • Vulnerability analysis

  • Trainings

  • IT security consulting

  • Social engineering

All rights reserved. © 2022 ProSec GmbH | Imprint | Privacy policy | Sitemap