1. Home
  2. IT specialists
  3. Critical controls
  4. Password manager
  5. Rolling out a password manager

Rolling out a password manager

Once you’ve chosen a password manager for your organisation, you need to have a clear communications strategy to explain the benefits of this tool so your people understand its use.

Configure policies and develop guides

Once you have decided on a tool, you will need to set clear policies and configure the tool to support these.

Common configuration options to look at

Each password manager will have different configuration options you can utilise. You will want to set these up before you roll out to users to make sure the first user experience they have is positive and consistent. A few configurations you may need to think about:

  • When is multi-factor authentication required? For logging into the tool, or accessing specific password groups or vaults.
  • Password policy for the master password - This will be the password that unlocks the user’s password database, so it’s important that it’s long, strong, and unique.
  • Standard password policy for any auto-generated passwords - This will make sure each password that is auto-generated for the users is long and strong too.
  • Single-sign on (SSO) integration – You may want to allow users to log in using their organisation credentials, or even SSO so they don’t need to enter a username and password. This is not recommended for administrative accounts.
  • Requiring an up-to-date app or software - The tool can check the current version of the software, app, or browser is being used before allowing them to unlock the database.
  • User event and audit logging - This could track any successful and failed attempts, access to vaults, viewing of passwords, and any sharing of passwords or vaults.
  • Firewall and access control rules - This would prevent users from specific IP addresses, locations, or sources from trying to access the tool.
  • Organisation-specific groups and vaults - This would allow your users to create passwords they can share with others in the event they have accounts with only one pair of credentials.
  • Password breach notifications - This would notify you if a system or website your team uses recently had a password breach, which means they may want to reset their passwords. This can also prevent people from using passwords that have been in previous breaches.

Guidelines and support

You will need to have guides and information to support your team in understanding how they can use the tool depending on the configurations you have set. It is important to make the documentation in a format and language that is right for the audience, and sometimes this means making multiple documents that all have the same key messages.

A good way to make these guides is to introduce the tool to a pilot user group first. Ask for their feedback on what documentation might be helpful for users like them.

Tip

A lot of users might use their work devices for some limited personal use. This might mean they may be prompted to store personal credentials in their work password manager. Be clear in your guides on how people can use the password manager tool for both work and personal use. If you don’t allow them to use it for both, often password manager tools provide free personal versions. This could be a good middle ground.

Enrol your users

The next step in the roll-out of a password manager is to enrol the users. If you have a large organisation, doing a small pilot test may help you work out any problems in the process, configurations, or guides before you roll it out wider.

Your goal should be to onboard everyone in the organisation who has online accounts or devices. Rolling it out team-by-team is a way to improve the uptake. You could work with each team and make sure they:

  1. download the right app or software, create an account under your organisation and can set their master password
  2. add the passwords for their key accounts. If the passwords are flagged as weak they re-save any new passwords
  3. add other measures, such as:
    1. multi-factor authentication backup codes
    2. knowledge based question answers (which can also be auto-generated like a password)
    3. physical codes, such as door PIN codes
  4. know where to find the guides and get help if they have a problem.

Ongoing support and monitoring

Make sure your staff onboarding includes setting up the password manager. You should provide ongoing support to ensure your staff understand how to use the password manager and they are not falling into old habits of storing passwords in plaintext files.