Summary
The most common way to authenticate to a system is by providing a username and password. The problem with passwords is that once they are lost or guessed, it's no longer a secret or secure. At CERT NZ, we see a lot of unauthorised access incidents which are caused by issues related to password management. This includes incidents where the passwords were:
- reused in other systems or accounts that had their passwords leaked,
- easy to guess personal information that may be available on the internet or commonly used passwords or patterns,
- set to the default values when the software was originally installed, or
- stored in plaintext documents which were read by an attacker.
Providing your staff with a password manager is the most effective way to enable them to use unique and strong passwords, and to enable better password hygiene. In combination with Multi-Factor Authentication (MFA), this will prevent the majority of unauthorised access incidents, and reduce the harm of phishing or credential theft.
Purpose
The intent of this control is for organisations to provide a password manager tool to all users who have access to organisation systems and accounts. This tool should be widely used, and passwords are only stored in approved, secure, ways.
Measuring success
A successful password manager control will look very similar across organisations, although the tools used may vary. The goals for your organisation are:
- There is a password manager tool that is approved to be used within your organisation, and provided to all staff.
- This tool is known and all staff are encouraged to use it, with widespread adoption.
- Your organisation can control user access to the tool so you can invite staff and set organisation-wide policies.
- Policies are set to auto-generate long and unique passwords.
- There are guides and support for all staff to know how to set a master password and how to use the password manager tool.
- Logging is configured for any stored passwords that are shared (and can’t be unique), such as organisation social media accounts.
- The approved password tool enforces MFA.
Key password manager takeaways
- Weak or reused passwords remain a common cause of incidents. If your staff aren’t using strong, unique passwords on all systems, it might be because they don’t have the right tools. A password manager is one of the few tools that can help your teams create unique passwords easily. It is a low-cost tool that can have a high impact and value when implemented well.
- Widespread use of a password manager requires buy in from everyone. A tool that is too difficult to use will not be adopted by your staff. You will need to balance the end user needs with the security features most important to your organisation. You should trial a few password managers with a group of users to see what they are confident in navigating and using before enforcing one tool for everyone. If you pick one without making sure your users are confident in using it, you might find it won’t be used at all.