Passwords are supposed to provide a key for authorised people to access systems that we don't want just anyone to have access to. Unfortunately passwords aren't very effective because it's hard to remember multiple long complex passwords. To get around it, people tend to reuse a handful of passwords or use passwords that are easy to remember. Unfortunately that also makes them easy to guess.
Luckily businesses now have a technological solution available – the password manager.
What's a password manager?
A password manager is like putting your passwords into an online safe that only you have the key to.
- encrypt, store and protect all your passwords so no-one else can access them
- allow you to generate passwords made up of a random, unique string of characters
- keep track of your passwords so you don't have to remember them all. You only have to remember one master password
- don't require IT support to set up or implement
- can be used to store other information securely, like pin numbers or two-factor authentication recovery codes.
When you set up a password manager, you create a 'master password' to use when you access your safe. Once you have your online account details, such as usernames and passwords stored in the password manager, the master password is the only one you have to remember. The password manager will do the rest for you.
Since your master password protects all your other passwords, it needs to be strong, long and memorable. We recommend using a passphrase rather than a password. Passphrases can be several random words or numbers together like ChickenPinkHouse79 or shakespearewasthegreatestplaywrightever
How safe are password managers?
Password management software is built using strong encryption methods and security practices, and is regularly reviewed by independent security researchers. The weakest part of password management software is most likely to be the master password that you choose.
Exploiting reused passwords is a common way for attackers to gain unauthorised access into your systems. The unique and strong passwords created by password managers are almost impossible to guess, making using a password manager a much safer option.
If you want an extra layer of security to your password manager, you can turn on two-factor authentication (2FA). That way, you'll be notified if someone does try to log in to your account.
Choosing a password manager
There are several password managers available, including free and paid versions. Have a look at reviews online to see which one would work best for you.
When looking for a password manager, there are a few things to consider.
Each password manager has its own administrative controls for user or policy management. Look at the features offered under the different business plans available.
Some password managers offer features such as:
- dashboards to monitor usage across your organisation
- user management options, such as multiple roles that offer different levels of access
- policy management, such as mandatory two-factor authentication or a restriction on who can reset a master password.
Cloud, local or browser-based password managers
The other consideration when choosing a password manager is whether it's best for your passwords are stored on your local drive or computer, in the cloud or with your browser. Think about your ability to protect your own database of passwords on your computer, and the sensitivity of the passwords you have.
If you need to have a high level of security – if you have a lot of financial trading or banking account passwords, for instance – you may want to use a password manager that's stored locally. Locally-based password managers store the password safe on your device, and can't be accessed from other devices. If you regularly work on multiple devices, such as a work computer and a home computer, this might not be the best option for your business. You also need to back up these password managers regularly.
A cloud-based password manager suits most businesses, and has the convenience of being accessible on multiple devices. Some cloud-based password managers offer browser plugins, mobile applications, and desktop applications. If you have a mobile workforce who do a lot of work on laptops and mobile phones, these type of products may work for you.
Most browsers — like Internet Explorer or Chrome — have a built in password manager. You'll see it when you log in to a site and a message pops up asking if you want the browser to save your password for you. While this can seem like a good option, it's important to note that a built in password manager does not have the same level of encryption or security as other password managers. They usually store the passwords locally on your computer, meaning they can be easily viewed by someone if you leave your computer unattended or unlocked.
Important accounts that are accessible online should be protected with 2FA. If choosing a cloud-based password manager, get one that uses 2FA.
Occasionally you may need to share some passwords between staff members, like for social media accounts. In some password managers, you can choose to share some passwords between selected staff members and which ones to keep hidden.
Some password managers allow users to have more than one safe per account, so you could allow your staff to have a safe for work passwords and a separate safe for their personal passwords.
Once you've chosen your password manager and are ready to implement it across your business, review your password processes. Hopefully you already change your system passwords, such as network passwords and alarm codes, when staff members leave - you'll need to update these processes to include however it works in your new password manager.
Encourage staff to enter their existing passwords into the password manager when they're setting it up. This will take a few extra minutes initially, but will encourage adoption and get them into the habit of using your password manager.