Choosing a password manager

Unique and strong passwords can save your organisation from the common password spray, brute force, and password reuse attacks we see. Choosing and providing a password manager can help your staff keep them unique and strong.

Below are the steps you can follow to roll-out and manage password managers in your organisation.

1. Find a tool that suits your needs

There are many different password managers out there. If you want your team to use one, it must suit their needs and be easy for them to use. There will also be security features you need to check. The best way to select the right tool is to find a small group of products that have the security features you need, and then pick the password manager that has the features your staff need.

2. Cloud vs local?

One of the first decisions to make is whether to use a cloud-based password manager or host it locally. Cloud-based options can be more flexible to access from wherever you need, easier to set up and easier to maintain. However, it does require trusting the provider implementing multi-factor authentication. Locally hosted options require putting less trust in external parties, but will require ongoing maintenance. It can limit your ability to access from external locations such as staff working remotely.

3. Security features

The first important feature your password manager needs is strong encryption algorithms and practices. Encryption algorithms, like software, can have vulnerabilities that allow people to decrypt the data without having the original private key. It’s important the password manager you select uses up-to-date encryption algorithms. Also ensure it uses multiple layers of encryption, so one weakness does not lead to the compromise of a database.

Strong encryption key practices are also important, especially if you are considering cloud-based password managers. Password managers rely on the concept that only the end user can decrypt the database with their master password. If the tool provider maintains their own access or a copy of your master password so they can decrypt the database, this can introduce a lot of risk.

It will be important to use this check to exclude any password manager tools that are not clear or open about how their tool protects your passwords. To find this information, you can start by searching to see if there are any documents or papers that explain the security that goes into the tool you are assessing.

Other important security features to consider are:

  • Multi-factor authentication for accessing the password database. This is especially important for any end users who are storing sensitive passwords or if the password manager is cloud-based.
  • There is no ability to reset master passwords without multi-factor authentication. Password reset functions are often abused in order to bypass authentication. Having it so users can’t reset their master password is the best way to ensure this process can’t be used as a bypass technique.
  • How to share secrets with external parties. You may need to share passwords or other secrets with support vendors, and your password manager should help you manage this in a safe and secure way.
  • Logging of all activity in the password manager. Having logs of who accessed what passwords, and when, is particularly important if you have any shared passwords. You’re also likely to want to log authentication, both successful and unsuccessful, to assist detecting account compromise.

4. End user features

Once you have picked the security features that are important to your organisation and have used those to pick tools that fit that profile, you can consider other end user features. These features might increase the security risk, or what they call “attack surface”, of the tool, but these features will also allow your users to use the password manager without friction.

Common end-user features that are considered include:

  • Desktop software, browser plugins, and mobile apps. Accessing your password manager through different channels increases the risk that one of those channels might have a security weakness or vulnerability. However, these channels might be helpful to your team being able to access the passwords when and where they need them.

    Consider if your team often uses laptop software, mobile apps, or their browser for accessing web apps. This can help you determine if using a tool with multiple channels is worth the trade off with the security risk.
  • Shared vaults and passwords. There will be passwords your teams will need to share, like passwords to service accounts or social media accounts that only allow one user. Shared passwords also come with security risks, and you will want to make sure they are only shared with the people who need access to them. You should have features that allow you to see every time a user views or copies a password to allow for limited traceability.
  • Password generators. Most password managers have inbuilt functionality to generate passwords or passphrases, which can be set to generate minimum or maximum length passwords. This can make it easier for your users to create strong passwords.

Once you have the security and end user features you need, you can start trialling different tools to see what might work best.

Some internet browsers have built in password managers that can store credentials for online accounts and services. These are commonly used by individuals, however it’s unlikely to be fit for purpose for an organisation as in-browser password managers only store credentials for accounts and services that are logged into via the internet browser.

Once you have tested and confirmed the best option for your organisation, it’s time to start rolling it out. 

Rolling out a password manager