Why you should consider password manager Solutions.
Introduction
As a security professional I often get requests from users who have lost their accounts to hackers through phishing or other threat gateways. A lot of these are because they either used very weak passwords after forgetting their previously strong passwords or re-used a standard, easy to remember password for all their digital accounts ranging from social media, emails and even financial accounts systems. Others lose their accounts by being tempted by phishing emails claiming to be from their service providers changing their terms of use and therefore need to click a link to update their accounts and change their passwords. I have to admit that I too have fallen for this much to the amusement of my friends & family who wonder why I fall for these yet am the ‘expert’. I honestly have no explanation for this J.
To begin with, an average 250 member Company has about 48,000 passwords, Ping identity 2022. These range from servers, workstations, subscriptions to internal systems. An average individual digital nomad has over 40 digital accounts ranging from emails, to social media, to academic accounts, financial services accounts, e-commerce accounts and government services accounts. To set a strong password as recommended by the InfoSec teams for each of these accounts will always be a real challenge to users. For instance a sample password policy requires that; all passwords should be a minimum of 16 characters, a combination of upper case and lower case letters, contain a mix of numbers and special characters and should be changed often e.g. every 60–90 days. Further, users are encouraged not to save their passwords on browsers as a common Cyber security control to prevent account takeovers. In enterprise settings, it’s a serious negligence offense for a user to write down their passwords for memory as these can easily be lost to cyber attackers.
How on earth therefore can normal users who just want to do their work and access their accounts meet these very ‘strict’ conditions by InfoSec and still enjoy the utility of their accounts? It’s no wonder accounts’ phishing & takeover is always among the leading Cyber threat vectors in the OWASP top 10 every year of publication. To try offsetting this balance, controls like multi factor authentication (MFA), Single Sign On (SSO) and federation services try to make usability & security an even match. However, these are limited in utility and adoption and therefore a method to centrally and securely manage user passwords is needed. Enter the world of password management solutions.
Password managers
These are applications solutions that allow the user to centrally manage their access to digital assets through secure, single point of access and unique passwords therefore limiting the chance of compromise. Some password managers also enter your passwords into websites and apps automatically, so you don’t even have to type them in every time you log in. This frees the users of the burden of having to remember their passwords every so often and hence at risk of loss.
Conclusion
It should be noted however that just like all technology solutions password managers are not fool proof and in fact password managers create the risk of a single point of failure whereby should an attacker gain access to the master password for the password manager then they have access to the whole real estate of sensitive digital assets. These can be mitigated through further compensating controls like MFA and token based authentication.
In the balance of risks and potential impact, I therefore recommend password managers for users both corporate and individuals.
Examples of password managers
1. NordPass available at https://nordpass.com/
2. 1PassWord available at https://1password.com
3. BitWarden available at https://bitwarden.com/
4. ZohoVault available at https://www.zoho.com
5. One Identity available at https://www.oneidentity.com/products/password-manager/
