9 Foolish Ways to Erode Your Password Manager Security
November 23, 2020
If you roll out a password manager in your business, there are many great benefits that should improve the security of your organization. Password managers make it easy to generate strong, unique passwords. Password managers make it easy to revoke access to passwords to key company resources when an employee leaves the company. Password managers reduce the frustration of trying to mentally develop memorization systems or notepad / post-it style approaches to recording / recalling passwords.
Still, to get the full benefit of a companywide password manager rollout, there are some common mistakes that are important to avoid. The mistakes that we'll describe here are ones that significantly erode password manager security. So, without further ado, here are nine mistakes to avoid in your organization's password manager practices:
1. Using Separate Consumer Accounts
This mistake is #1 on the list for a reason. When we begin working with a new client and discuss current password management practices, we are often able to uncover the use of separate -- individually-registered -- password manager accounts within the organization. Meaning, individual employees registering separate password manager accounts that have no connection whatsoever to the organization. And storing business-related credentials in them.
Without insight into what individually-registered password manager accounts employees have, there is no mechanism for orchestrating the types of controls that are relevant in many common security events. No ability to revoke access to passwords upon departure of an employee. No ability to manage settings that control how often the user needs to re-authenticate to continue to have full access to the usernames/passwords. No diagnostics around password strength. No surfacing of instances where Shadow IT creeps into the organization's business processes.
2. Poor "Master Password" Practices
When employees begin storing their business passwords in a business-grade password manager, they choose a Master Password that guards access to the entire vault of credentials. That can be either wonderful, or awful. If users choose a strong, unique master password -- and successfully memorize it -- then the use of the business-grade password manager is off to a great start.
If, however, employees pick a weak master password, the business is taking a significant risk. What if the password is one that the company "traditionally" uses for shared resources? What if the password is on a post-it note next to the employee's keyboard? What if the password is one that is weak enough to be on various brute force password lists?
If the master password is the gateway to dozens or hundreds of account credentials, then it is absolutely essential that the master password follow best practices.
3. Sharing & Forgetting
Ever share a credential with another employee? Or a contractor, vendor, or partner? It happens. Often for real, legitimate business purposes. But we all know what usually happens next. Do we ever remember to revoke those shared credentials? Be honest.
Business-grade password managers have back-end capabilities that help to manage sharing mechanisms, permissions, and more. If you haven't checked on this aspect of your administrative backend for your password manager, now is a great time to check it out.
4. Forgetting Screen Locking
Suppose you have employees that are all dutifully using the company-issued password manager. And, suppose they all chose strong, unique master passwords. Great!
Now for a "what if" scenario. What if an employee who is logged into their password manager -- for example, with their vault open/available in their browser extension -- and that employee leaves their laptop unattended unexpectedly. We all like to think that we're in the company of trustworthy people. But, in a hotel lobby, coffee shop, or other public place, that's not an assumption that is compatible with companies that have security obligations to customers.
Bottom line: don't forget to roll out a screen locking policy that causes unattended laptops to automatically switch to a "locked mode" after some reasonable period of time.
5. Failing to Think About Mobile
All business-grade password managers have mobile apps that allow vault access. Some business-grade password managers have administrative configuration capabilities that allow for specifying whether certain groups of employees are or are not allowed to connect to the password manager from the mobile app. It's time to get real about the question of which employees have a genuine on-the-go need to access their business password vault. And to pair that understanding with some Bring Your Own Device policy discussions that help employees rally around the company's security obligations that are associated with the flexibility regarding mobile device use.
6. Forgetting Pre-Authorization for Vault Transfer
This one has a "gotcha" that you may not yet realize. Some business-grade password managers require employee authorization, for the administrator to transfer the employee's vault to another employee, should the employee leave the company. Yes, you read that right. An employee using the company-issued password manager may need to pre-authorize the company's right to transfer their credentials under certain circumstances. Does your password manager require this? If so, best to gather those consents as part of ONBOARDING. Not as part of the 30 minutes prior to an employee being terminated.
7. Non-Removal of Former Employees
When an employee is terminated, there may be a long list of resource and access transitions to manage. One important one to remember is to lock/remove access to their password manager (presumably as part of a sequence that also transfers their vault contents to some other internal destination).
8. Forgetting 2FA Enforcement
We recommend the use of 2FA on all services that support it. However, the three highest priority resources that we most strongly and immediately recommend enabling 2FA on, are as follows: 1) Financial Accounts, 2) Password Vaults, 3) Corporate Email Accounts. There are many other systems that employees access that should enable 2FA on, but in terms of priority, ensuring that employees have 2FA on their password vaults should rank very high on the "to do" list.
9. Dual use of Browser + Add-On Password Managers
Ever notice that browsers are increasingly (automatically) offering to remember passwords that you enter on login/sign-in forms? We see this frequently, even in cases where the username/password were auto-populated by a business-grade password manager. It can be confusing. For an employee that is less familiar with this type of browser capability, it would be EASY to imagine confusion about whether the popup is from the browser's internal password manager versus the company's business-grade password manager. Some team awareness / training / education can help your team avoid accidentally storing their business passwords in an additional, undesired, browser-managed vault.
Password Manager Security Wrap-Up
Using a business-grade password manager (like the one that comes with every Havoc Shield account) is an important step for your organization's security. But, alongside that rollout, a brief review of the above items can ensure that you receive the full benefit that you expect. Any questions about this or any other aspect of your company's cybersecurity posture? We're glad to help.