With the average person having 130 different accounts, the fight for password security can feel a bit overwhelming. If your employees follow password management best practices, that means 130 different passwords for every account. The chances anyone can recall that many strong, unique passwords from memory is slim to none.
Expecting employees to practice good password security is a tall order if you aren’t giving them a tool to assist them. Without a solution to help manage their credentials, many will throw their hands up in defeat and reuse passwords.
With 61% of data breaches being credential-related, companies can’t afford to ignore these issues. Providing employees with password management solutions is long overdue.
Lets look at how you can implement standards and practices for storing and sharing passwords securely so employees don’t have to forge their own path.
Do you know how employees in your company store their passwords?
The most popular method is good old fashioned brainpower. It may seem like the more secure approach, but recall that the average person has 130 different accounts. This probably means they’re reusing their passwords, or variations of them.
If they use the same passwords for multiple accounts, one breached system means the threat actor is just a few steps away from using the same password to hack other systems. And it’s not just their other work accounts you need to be concerned about, it’s passwords reused from their personal accounts too.
Let’s assume employees are using unique passwords. Since it’s highly unlikely they’re memorizing them all, they must be storing them somewhere. What if that’s in browser-provided password storage, spreadsheets, or notes on devices?
There’s no easy way to manage these methods across your company, and storing such sensitive information locally with no additional security protections poses serious threats when these devices are lost, stolen, or compromised.
Additionally, more teams are using shared accounts to collaborate on projects. So how do your employees share passwords? Are they emailing the information, sharing it with others on Slack, or putting the credentials in shared documents?
These password-sharing practices are risky and pose a number of problems:
Manual sharing doesn’t come with an audit trail, which can land you in compliance hot water
Not knowing who has access to an account makes investigating security incidents next to impossible
When it comes time to change a password, there’s no easy way to disperse that information to relevant parties
These sharing methods may be less secure, making your sensitive data more vulnerable
Clearly the ways of the past don’t work, but fear not! There are simple solutions to resolve your password management problems.
So you understand why you need to make a change, but how can you ensure that everyone uses unique and strong passwords and stores the credentials securely?
Here are some business password management best practices to follow:
Password policies aren’t usually one size fits all, and businesses need to consider compliance requirements and what kind of data you’re protecting. At a minimum, your password policy should require end-users to set strong passwords that are long and complex. For example, setting a minimum required length, and under what circumstances employees should change their passwords to ensure ongoing security.
You should also define password-related procedures like ensuring the principle of least privilege is applied during onboarding and that access is revoked or passwords are changed during offboarding. A great way to ensure that policies and procedures are followed is by setting a point of contact that is responsible for organizing access control and password management practices within your organization.
Your password policy is only as good as your employees’ ability to adhere to it. Provide training and education to communicate the risks of poor passwords and give employees the tools to manage passwords effectively to stay secure without impacting productivity.
We know, that’s easier said than done. But whenever possible, creating individual accounts instead of shared ones is always better for security. Not only do many services condemn account sharing, it can cause serious issues if you’re trying to investigate a security incident. If a shared account is compromised, finding out how credentials were leaked is much more difficult if five people have access to them. Additionally, audit logs can only tell you when an account was accessed, but not who accessed it. There’s also a high chance that some individuals have over privileged access when you can’t cater it to each person’s job functions.
Some accounts, like social media platforms, don’t have the option to set up separate users. For these cases, we have to come up with a different solution.
When you have no choice but to have employees share account credentials, you want to make sure employees are doing so securely. In comes a business-grade password manager. Choose a password manager that is trusted, has strong security, and built-in sharing functionality. That way when the inevitable password sharing happens, it’s done in a controlled environment.
Let’s look a little closer at how a password manager can help you store and share credentials more securely and the benefits you stand to gain.
We believe that employees want to do their best to keep your systems and data secure. But most people will fall off the wagon if you rely on cumbersome and frustrating manual processes to enforce your password policy.
If you implement complicated rules without giving employees the appropriate support, they may go behind your back and create workarounds that will make it impossible to monitor data access (that’s when you run into the problem of Shadow IT). You need a user-friendly password management tool to support your policy.
A business password manager (e.g., 1Password, LastPass, Dashlane, Keeper) provides a safe location for companies to store login information for sites and apps. It can also generate strong,random passwords when you need to change credentials or create a new account. Most password managers also have features that allow teams or departments to share passwords for accounts with each other securely. This means that passwords are only available to the individuals that really need it, and you can easily understand who has what access. As a bonus, most password managers also support storing and sharing credit cards, secure notes, API keys, and confidential documents.
Introducing a password manager to your business allows IT teams to rest easy knowing credentials are being stored and shared securely and that they can easily track usage and handle access control, even for those pesky shared accounts. On top of a happy IT team, employees will be happy to have enhanced productivity without compromising security.
A business password manager can help you simplify password management while improving security. But they’re just one piece of the cybersecurity puzzle. If we take a step back, passwords are a means to an end - to enhance endpoint security.
You should support proper password management with an endpoint security solution that allows you to gain a bird’s-eye view of your IT infrastructure and rectify risky behaviors such as improper password management.
For example, Kolide can help you ensure that a password manager is installed and updated on all endpoint devices. Kolide’s Device Trust solution notifies end users and educates them on using the application to adhere to your security policy. If an issue is detected, it’ll notify employees so they can address it themselves.
There’s a fine line when it comes to password management. You need visibility into your infrastructure and how end-users access company data without infringing upon employees’ privacy. Using Kolide complements your business password manager to ensure a successful rollout. Kolide is built on the principle of Honest Security and includes a privacy center that shows end-users who has access to their devices and when, so you can have complete visibility without losing employee trust.
Watch our on-demand demo to see how our Device Trust solution can help augment your password management strategy.