Article
Password management best practices
Password management is a combination of systems and processes used to securely handle the issuance, access, storage, and maintenance of passwords. With the proliferation of systems and devices,it has become a staple in every IT team’s toolkit. Password management facilitates the enforcement of best practices throughout the entire lifecycle of passwords, from creation to deactivation.
See how to use password management to reduce help desk calls, increase security, and enhance user experience.
As cyber threats become more sophisticated and effective, password management provides a critical defense against unauthorized access to systems, applications, and data.
Password management helps organizations address and defend against careless behavior that leads to data breaches, such as:
- Creating simple and easy-to-guess passwords
- Sharing passwords through verbal exchanges in an office, documents, email, telephone, or text messages
- Using the same password for all logins
- Writing down passwords
In addition to mitigating risky password practices, password management:
- Eliminates the need to memorize passwords
- Encrypts user passwords to increase protection
- Ensures compliance with regulations and best practices
- Facilitates the creation of strong passwords that are complex and difficult to guess
- Makes it faster and easier to create, manage and use passwords
- Minimizes password reuse
- Notifies users when credentials have been part of a data breach or phishing attempt
- Provides the ability to auto-fill user credentials when a login form is detected for which the system has a username and password
- Supports credential synchronization across multiple devices
Browser password managers
Browser password managers became prevalent because browsers are the most common way for users to access sites and services. Password management is included in all major browser platforms.
Browser password management allows users to save credentials for accounts; the browser auto-fills them. Many users take advantage of browser password management without understanding the security risks, which include the following.
Browsers were not built for password management. Because password management has been an add-on to browsers, most lack the security and productivity features of purpose-built solutions.
If a device is stolen, passwords can be retrieved from open browsers. Since most users do not sign out of browsers, browser password management is a high-risk approach to password management.
Passwords become compromised if a browser is attacked. Browsers are vulnerable to cyberattacks that infect devices through malicious email attachments, infected files downloaded from sites, or visits to infected websites. Cybercriminals also compromise browsers by bundling malware with browser extensions and through malicious shareware, freeware, adware, and spyware.
What is FIDO?
FIDO stands for Fast Identity Online. The nonprofit FIDO Alliance was formed in July 2012 with Infineon, PayPal, Lenovo, Nok Nok, Validity Sensors, and Agnitio as the founding companies. FIDO standards seek to replace passwords with a single token that is used for authentication and leverage multi-factor authentication to improve security and usability.
With FIDO, users sign in with passkeys that are phishing-resistant. Passkeys replace password-only logins. FIDO allows users to log in with passkeys across their devices using a biometric or a security key.
What are passkeys?
Passkeys are a type of authorization credential that allow users to log in to applications, sites, services, and systems without entering a password, with devices users already have done so (e.g., smartphone or laptop). Built on the Web Authentication standard, Passkeys leverage public-key cryptography for security. This prevents passkeys from being stolen from cyberattacks, such as phishing. With passkeys, the private key is stored on users’ devices, and the public key is on organizations’ servers.
Using passkeys for user authentication eliminates the need for vulnerable usernames and passwords. Passkeys replace traditional credentials with digital credentials that are analogous to physical keys. These digital keys are accessed by having users sign into devices using a personal identification number (PIN), swipe pattern, or biometrics (e.g., fingerprint).
Commonly cited benefits of passkeys are:
- Streamlined authentication experience for users
- Enhanced accessibility for users with disabilities
- Reduced helpdesk load due to users needing passwords reset
- Resistant to phishing attacks
- Standards-based approach that expedites integration of authorization capabilities for developers
How password managers work
Password management solutions, or password managers, provide a curated set of capabilities designed to automate, streamline, and secure password-related functions. Capabilities include the following.
Create custom password policies
For organizations with teams that have different access requirements, password management policies can be implemented at a granular level; for instance, enhanced authorization requirements can be implemented for users that access sensitive information.
Detect changes
A password management system can automatically detect password changes and synchronize them across all appropriate applications.
Enable multi-factor authentication
Password management provides robust multi-factor authentication capabilities to ensure the validity of users attempting access. This can include the ability to trigger multi-factor authentication when unusual behaviors are detected.
Enforce password requirements
Password management helps organizations implement and enforce password policies automatically. Organizations can be assured that all requirements are enforced network-wide, including the use of strong passwords, regular password updates, and the use of unique passwords for different applications, services, and systems.
Generate strong passwords
A password management solution can automatically create unique, strong passwords that users have difficulty creating.
Synchronize across devices and operating systems
Since users depend on multiple devices, password management automatically shares passwords across devices, eliminating the need to reenter the password on different devices manually.
Additional capabilities in robust password management solutions include:
- Ability to record, monitor, and terminate users’ passwords
- Access control for employee devices
- On-premises and cloud deployment options
- Password management on employee endpoints
- Reporting tools
- Self-service capabilities
Global security certifications for password management
There are many security certifications associated with password management. Below are several of the most commonly pursued by global organizations.
APEC CBPR (Asia-Pacific Economic Cooperation Cross-Border Privacy Rules)
APEC CBPR is a government-backed data privacy certification for companies to demonstrate compliance with internationally-recognized data privacy protections. It emphasizes privacy practices to ensure APEC customers’ personal data is protected in accordance with the prescribed standards when moving across borders.
APEC PRP (Asia-Pacific Economic Cooperation Privacy Recognition for Processors)
APEC PRP is a certification for data processors that work on behalf of client organizations (data controllers) to demonstrate their ability to implement a controller’s privacy requirements effectively.
BSI C5 (Cloud Computing Compliance Controls Catalogue)
BSI C5 is an audited standard that establishes a mandatory minimum baseline for cloud security and the adoption of public cloud solutions. It was introduced in Germany by the Federal Office for Information Security (BSI).
ISO 27001
ISO 27001 is an internationally recognized specification for an Information Security Management System, or ISMS, that assesses the overall management of information security.
SOC2 Type II
A Service Organization Control (SOC) Type II audit assesses how a cloud-based service provider handles sensitive information. It covers the suitability of a company’s controls and its operating effectiveness.
SOC3
A Service Organization Control (SOC) III audit assesses internal controls over security, availability, processing integrity, and confidentiality.
General Data Protection Regulation (GDPR)
GDPR is a regulation that provides a set of standardized data protection laws across the European Union (EU) to increase privacy and extend the data rights of EU citizens.
European Union (EU)-United States (US) Privacy Shield
The EU-US Privacy Shield is a legal framework that regulates transatlantic exchanges of personal data for commercial purposes between the European Union and the United States and requires data protections.
Challenges in password management
There are many benefits of password management, but there are also several notable challenges. Understanding the challenges allows organizations to securely and effectively extract the maximum value from solutions.
Password management challenges include:
- Interoperability
Because there are no mandated standards, not all websites are compatible with all password management - Master password vulnerability
Since password management solutions use a master password to access other passwords, a compromise could expose the other passwords; in addition, if the master password is lost, the user could lose access to applications, services, and systems - Security concerns
These revolve around the idea that password management can be a single point of failure, as all of the passwords could be exposed if the system were compromised - User adoption
In some cases, users have trouble setting up and using new password management systems
Another set of challenges related to password management relates to cyber threats, such as threats to protecting passwords in:
- Brute force attacks
Automated tools are used to steal or guess passwords - Data breaches
Cybercriminals gain unauthorized access to networks and steal login credentials from website databases - Login spoofing
Cybercriminals use passwords that are illegally collected through a fake login page - Shoulder surfing attacks
Passwords are stolen by a cybercriminal observing users’ entry into systems (e.g., by using a hidden camera) - Sniffing attacks
Passwords are stolen using a number of illegal tactics, such as physical theft, keylogging, and malware
Password management best practices
Ban password reuse
Passwords should not be reused for different devices or applications. Each account should have a unique password. This can be difficult to keep track of without password management.
Create and enforce a password management policy
Provide employees and administrators with a clear guide for password management to make it easy for users to follow best practices and for administrators to implement them.
Educate team members about online safety
Education is critical for users’ adoption of password management best practices. The following are ways to explain the importance of password management best practices and incentivize compliance, which will help build and sustain a culture of security as a priority.
- Explain the role of password management in data breach prevention
- Train employees on password management best practices
- Help employees follow password management best practices with automation
- Provide an on-demand training program with resources employees can review at their convenience
- Offer incentives that entice engagement in password management training and exercise (e.g., cash bonus or gift cards)
Enhance protection for privileged user accounts and passwords
Use privileged access management to add an extra layer of protection for accounts that have a higher level of access to data and applications and are sought after by cybercriminals.
Identify security issues quickly and help employees fix at-risk accounts
Password management should identify password-related security issues and at-risk accounts proactively. When issues are detected, the solution should have automated responses for remediation and alerts for those deemed high-risk.
Implement multi-factor authentication
Multi-factor authentication (MFA) requires users to provide two or more pieces of evidence (factors) to verify their identity before granting access. These factors include:
- Something you know—password or personal identification number (PIN)
- Something you have—smartphone, mobile phone, or token
- Something you are—biometrics (e.g., fingerprint or face recognition)
Make password changes mandatory
Require users to change their passwords according to a set schedule. Password management automates this process to ensure compliance.
Phase out browser-based password management
Browser-based password management is a security risk. Organizations are encouraged to create plans to eliminate the use of browser-based password management and replace it with a purpose-built solution.
Require strong passwords
Passwords should be complex and unique to prevent cybercriminals from breaking them. Password management systems can automatically generate strong passwords that have:
- More than eight characters
- A combination of upper and lowercase characters
- Different numbers and symbols
Store passwords in a password management system
Use purpose-built password management to streamline processes for users and facilitate administration by IT teams. This enables password management rules and enhances security.
Use password encryption
Irreversible end-to-end encryption is a must-have for password management to protect credentials, because even the strongest password is vulnerable unless it is encrypted. Password encryption secures data that is stored or transferred. Encryption secures digital data by mathematically encoding it using cryptography to prevent it from being read or decrypted with a key or password.
Password management: An easy, but potent security upgrade
Cybersecurity presents increasing challenges as cybercriminals and their tactics are bolstered with sophisticated technology, such as artificial intelligence and machine learning. All the technology leveraged to keep them out is being used to gain unauthorized access. Security teams employ a mesh of solutions to provide protection.
Password management is one of the easiest security solutions to implement and one that has proven to be effective. With password management, a highly-exploited attack vector is nearly eliminated. Password management prevents credential compromises that expose organizations to untold damage.
Smart, scalable, seamless identity security
Trusted by 48% of the Fortune 500