Why Simple Password Management Tools Give You A False Sense of Security

Why Simple Password Management Tools Give You A False Sense of Security

Password management tools promise a simple way to remember passwords for you. You might already use a password manager at home. In fact, some web browsers offer a basic “save your password” feature to help consumers with their online life. Are those password manager tools good enough to keep sensitive data at your office? If you’re responsible for cybersecurity for an organization, these simple password management tools are just not good enough.

Why Traditional Password Management Tools Don’t Work for Organizations

Consumers and organizations face very different cybersecurity risks. Imagine you’re a hacker who’s motivated to go after a target. If you successfully attack an individual on his or her home computer, what can you gain? Our guess: it could be data worth a few hundred dollars. On the other hand, consider a successful attack on a Fortune 1000 company. A focused attack could yield sensitive data worth tens of thousands or even millions of dollars. Since you have more to lose in a company, you need more protection than a simple password manager can provide.

When you rely upon a password manager, it fosters a false belief in your employees. They may assume that the password tool is keeping them safe. Even worse, they may believe that they no longer have any responsibility for cybersecurity because the software does everything for them. When that happens, your organization’s vulnerability increases because you have lost front-line employee vigilance.

The Solution to Improving Password Management

How can you avoid falling into the trap of “password managers are the silver bullet for security”? The answer is simple but not easy. Put password management requirements into a broader cybersecurity framework. This framework defines your policies and procedures, as well as what everyone is responsible for. Developing a customized identity and access management program takes serious work. Without knowing your organization’s specific challenges, it’s not possible to come up with a custom solution.

Instead, you’ll find out the building blocks you need for effective password management and how to integrate this into your broader cybersecurity program.

  • Review the scope of the password policy: The most common oversight in a password management policy is failing to include cloud services such as customer relationship management solutions (e.g., Salesforce.com). These systems contain critical company data and need to be included. Ask your employees to list the systems and websites they use in their work to ensure you’ve identified all the critical services.
  • Improve your password training: Unless you guide them appropriately, your employees may bring harmful password practices to the workplace. Read our “How to Deliver Password Management Training to Your Employees This Week” for more on developing training.
  • Discourage password reuse: Using the same password over and over again is convenient for end users. Unfortunately, this practice undermines security. It’s also a widespread practice. An industry survey found over 80% of adults reusing passwords. That habit means that cracking one password may give hackers access to other parts of your organization.
  • Review hard-coded passwords: Some software developers hard-code passwords into scripts and other software to speed up their work. While this practice does increase productivity, it carries significant risks. We recommend interviewing your software development team to see if they’re using this practice. In 2014, Uber’s security failure led to losing data on 50,000 drivers. The use of hard-coded passwords was a key contributing cause to the security failure. Don’t let that happen to your organization!
  • Adopt multi-factor authentication for higher risk situations: Do you offer a work from home or remote work program? In that situation, your confidential information is exposed to increased risk. To reduce your cybersecurity risk exposure, we recommend using multi-factor authentication. Are you new to the world of multi-factor authentication? We’ve got you covered: click here to receive Your Multi-Factor Authentication Project Plan.

When it comes to password management, constant practice and training are critical. Miss out on this and your password management policies will do little to protect you.

How Will You Sustain Robust Password Management?

Training employees and introducing new password management policies helps. However, most of your employees don’t arrive at the office each day worried about cybersecurity. If you only emphasize cybersecurity best practices annually in a training session, don’t be surprised when the message fades after a few months. That’s just the reality you have to admit. Consistent supervision and reinforcement of password best practices are critical. Choosing the right cybersecurity software solution will go a long way toward fixing this problem.

Introducing Password Management

The better way to improve password management is here: use Password Management. Unlike other password tools, Password Management considers the employee experience. Your staff will no longer have to phone the help desk to get a password reset (it happens to all of us, especially after a vacation). Instead, employees can use Password Management to reset passwords by phone. Further, each user can set individual security questions. With this approach, employees are more likely to remember their responses and get on with their day when they have a password change need. You can “mass enroll” users in the system in moments, so you keep pursuing high growth goals without sacrificing security objectives. If you have a large number of temporary employees (or students in the case of universities), that mass enroll system will be a major time saver.

Multi-factor authentication support is built directly into Password Management. SMS authentication is a popular choice for many organizations. Since users must have their phone to receive this PIN code, this multi-factor authentication makes hacking much more difficult. To protect the most sensitive assets such as your executive’s email accounts, we suggest using biometric multi-factor authentication. Spear phishing, the practice of hacking the credentials of specific people in an organization, is a real threat. Multi-factor authentication with Password Management is a good way to reduce that risk.

Curious to explore multi-factor authentication (MFA) further? Read our article “How To Implement Multi-Factor Authentication Without Working Weekends.” Focusing your MFA program on high-risk use cases and users is the key to getting value from the system.

Written by Nelson Cicchitto