The Pros and Cons of Password Managers

Computer users today are challenged by site and program requirements to use strong and unique passwords across platforms to ward off hackers. But remembering a plethora of passwords can become nearly impossible.

A password manager, sometimes referred to as a password vault, is a software application that stores and organizes login credentials – usernames and passwords – logging users in automatically to websites. Businesses are better protected when users employ strong, unique passwords across websites without the need to write them down or commit them to memory.

Advantages of Password Managers

In a nutshell, a password manager is easy to use. Once a user visits a website and enters their username and password, the password manager captures the information, eliminating the need to remember those credentials in the future. Now, all that’s required is to enter the master password to log in to the manager itself.

Another handy feature of password managers is the capability to create random passwords that use a mix of uppercase and lowercase letters, symbols and numbers. When a user creates a new account on a site, the password manager offers a secure, randomly generated password, enabling the user to move on quickly.

Most password managers also encrypt the vault in which login credentials are stored – on the local computer or in the cloud – providing another layer of protection against hackers.

Disadvantages of Password Managers

Although they greatly ease the user’s burden, password managers pose a risk in that they present a single point of failure. Let’s say an attacker installed a keystroke-logger program on a computer and recorded the user’s master password. The attacker can then access the password manager vault and compromise the user’s accounts on all sites.

Breaches have occurred. A leading password manager was cracked and breached in 2015. And Malwarebytes Labs, a well-known antimalware vendor, expects password managers to be a prime target for cybercriminals in 2017.

Risk vs. Reward

All things considered, the rewards of implementing a password manager for employees far outweigh the risks. Password managers should be considered safe to use. Many commercial password managers are cloud-based services that store passwords in a vault in an encrypted form. An administrator uses the service’s administrative console to create user accounts and invite users to begin using the service from their computer. The administrator then monitors the overall “health score” of accounts to ensure users are creating strong passwords for various sites.

These services can also sync a password vault to a user’s mobile devices (to protect password use there as well), and syncing is protected by AES, a strong form of encryption.

Note: Because password management services use heavy encryption, even when a breach occurs and data is stolen, criminals must break the encryption to see a user’s passwords. This can be nearly impossible with industry-standard encryption like AES.

Password Managers for Highly Regulated Industries

Many organizations must comply with regulations and standards, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS). Compliance requires organizations to impose stringent security measures to protect IT environments since they’re capturing and storing customers’ personal information. A password manager service can help meet compliance in a few ways.

One is with two-factor authentication, in which the user must enter credentials initially and then receive a code as a second form of identification. Some password managers let users choose a form of biometrics, such as a fingerprint or facial recognition, rather than enter a master password. A password manager also enables administrators to enforce password policies, such as requiring the use of strong passwords and changing passwords on a regular basis.

Password Manager Solutions and Best Practices

Although Web browsers store passwords and provide some aspects of password management, they aren’t the best solutions for businesses because they lack the security element. Instead, a commercial password manager offers more business-appropriate features, such as random password generation and password sync across all connected devices.

Dashlane and KeePass are two popular password managers that offer similar feature sets. For example, both products provide browser extensions and mobile apps. Dashlane enables users to automatically change passwords, saving lots of time and effort over the long term. Regarding vault storage, Dashlane lets the user choose to store these passwords locally or in the cloud, while KeePass only stores passwords locally.

Whatever solution you find for your business, there are a few guidelines to keep in mind:

  1. Although services do encrypt a user’s master password, they do not store the master password in the cloud, so it’s important for users to not only use a strong master password, but to change it every 60 to 90 days.
  2. As mentioned, to increase the security of a password manager, look for one that offers two-factor authentication.
  3. The password manager you choose should also support all major computer and device operating systems as well as Web browsers, and allow users to store hundreds of logins.
  4. A nice-to-have feature that might hit your must-have list is automatic password changing, which lets the user change passwords on many sites at once.

To get started, browse password manager comparisons on sites like PCMag.com, TechRadar and G2 Crowd. After you narrow your choices to three or four products, test them in your organization to see which one works best for your users.

Interested in preventing employee-related security risks?