(Updated 10/08/2020)
Many cybersecurity experts agree that the use of reputable password managers can help prevent some of the issues associated with identity and access management.
With insider threat incidents on the rise, password managers can help teams reduce the risk of credential theft as a result of weak or reused passwords. However, password managers are not flawless and have their own drawbacks.
Here are some of the top benefits and risks of password managers, so your team can make the right choices when evaluating and implementing these solutions.
Risk: Autofilling Passwords
Suppose your employees use browser-based password generators that come with most browsers like Safari and Chrome or use dedicated password managers with an autofill option. In that case, they may be opening themselves up to unnecessary risk.
According to a recent study from Princeton’s Center for Information Technology Policy, third-party scripts used by online advertising and web tracking firms can create invisible forms that capture autofilled passwords, exploiting these solutions. These scripts were found on more than 1,000 of Alexa’s top million websites.
For these reasons, some top password management solutions have refused to add autofilled passwords as a feature, despite frequent requests from users. Look for a solution that allows you to turn autofilling off, or doesn’t leverage this feature at all.
Risk: Bugs in Password Management Software
Like any third-party software (no matter how trusted), password management solutions have their bugs. PC World recently reported that Google’s security team had outed several of the top password managers by finding bugs and exploits in their software. While these software providers quickly resolved these issues, cybersecurity professionals should still be wary of recent incidents involving password managers.
The same PCWorld article advises conducting a web or Twitter search of the password management vendor’s name plus the word “hacked” to uncover whether the solution has been recently exploited, as well as what measures their team has taken to resolve the incident.
In addition, checking sites such as “Have I Been Pwned” can help determine whether users’ accounts have been breached. Paying attention to what trusted researchers and news outlets have to say about these solutions could save a lot of agony in the evaluation process.
Benefit: A Rotating Vault of Unique Passwords
Some password managers (such as 1Password, and local storage vault alternatives such as KeePass, EnPass, and LastPass) require the user to fill in a unique, “unhackable” master password that unlocks a password vault. The vault generates a unique password every time the user logs into a service (rather than autofilling the same password each time). These tools also use strong encryption standards such as AES-256 and SHA-256 to encrypt password databases.
The practice of rotating credentials has long been used in the cybersecurity community for privileged access management. A password manager is a more user-friendly approach to ensuring that every employee adheres to a similar best practice across the organization.
Some employees may attempt to circumvent a password vault because it adds an extra step to their workflows, or they prefer the ease of a browser’s autofill solution. For these users, it’s important to educate them about the risks (see the Princeton study above) and help them understand that these measures are intended to protect them from credential theft—not just introduce unnecessary inconvenience.
Benefit: Reduced Margin for User Error
One of the biggest benefits of using a password management solution is reducing the margin for user error.
Password-related errors can take many forms, including weak (“passw0rd1234” folks, we’re looking at you!) and reused credentials. According to a recent Virginia Tech study, 52% of people reuse their passwords across multiple services. What’s more alarming, 16 million passwords can be cracked within just ten guesses (including all of the reused passwords analyzed by the study!)
Reducing this type of behavior is one of the primary reasons to use a password manager. Insider threat statistics from the Ponemon Institute show that two out of three insider threat incidents happen because of employee mistakes. If these password management solutions cut down on the number of user errors, the cost of insider threats could potentially be significantly reduced. This is particularly useful if your organization can standardize the password manager used by all parties in the organization.
Conclusion: Enforce the Use of a Quality Password Manager
The benefits of using a password manager far outweigh the risks. However, password vaulting solutions can be significantly more difficult for users than the browser-based autofill password managers that many may be used to. It’s critical to not only adopt the use of a password manager, but also ensure that users understand how to use the solution properly every time they log into a service.
If employees are aware of some of the staggering research behind password compromises, they’ll be far more likely to adhere to the use of a password management solution.
For more advice and tips on proactive user coaching for insider threat management, check out some of our past Coachable Moments posts.
Subscribe to the Proofpoint Blog