Chances are, you've experienced the password struggle in the last month. For many, the struggle is weekly.
How many times have you faced the frustration of forgetting your password, only to embark on a tiresome journey of resets and account recovery? We've all been there, grappling with the exasperating dance of resetting passwords. In a customer survey conducted by Entrust, a global firm specializing in digital security, 51% of respondents reset a password once a month or more frequently because they can't remember it, while 15% reset a password at least once a week.
With more digital services available than ever, it's unsurprising that many of us struggle to recall an ever-growing inventory of login credentials.
But fret not, for there's a simple and effective solution to bid farewell to these password predicaments—the password manager.
What is a password manager?
A password manager is a software tool or application designed to securely store, manage, and organize passwords for various online accounts and services. Users create a master password or use a biometric authentication method (e.g., fingerprint or facial recognition) to access a larger library of complex passwords. A password manager's primary function is to help users generate strong, unique passwords for each of their accounts, store these passwords in an encrypted database, and then automatically fill in login credentials when needed. Password managers can also offer additional features such as password strength analysis, multi-factor authentication, secure password sharing, and the ability to store other sensitive information like credit card details and personal notes.
So, are password managers a secure and efficient means of safeguarding your passwords?
Should housing organizations require that employees use a password manager?
We ran these important questions by HAI Group's in-house Information Security Manager, Mike Konopka, a CISSP-certified cybersecurity professional.
In this blog, he examines the advantages of utilizing password managers over conventional methods of password storage, outlines best practices for employees interested in implementing them in a professional setting, and highlights essential factors to consider when choosing a password manager.
Furthermore, he delves into the potential vulnerabilities and constraints associated with browser-based password management, offering insights into the continually evolving realm of digital security.
Should employees be expected to purchase and use a password manager?
While good cybersecurity hygiene is everyone’s responsibility, Konopka noted, the responsibility to provide a password manager—as with any software serving a business need—rests with the organization, provided the organization recognizes a business need.
"I strongly encourage the use of a password manager over other methods of password recordkeeping, such as in a digital document or (shudders) sticky note," Konopka said.
Password managers encrypt passwords, making it extremely difficult for unauthorized users to access sensitive information. Sticky notes and digital documents are much less secure, as anyone with access to your physical workspace or computer can potentially view your passwords.
How should organizations evaluate what password manager to purchase? What are some key features to look out for?
"While there are a fair number of password managers to choose from, organizations should consider their own unique requirements," Konopka said.
These requirements include elements such as trust and confidence in the solution provider, strong encryption of all user data, a zero-knowledge model (i.e., the vendor has no access to a user's unencrypted data), ease of use, features and capabilities, cost, and available support options.
"Useful features to consider that are available in many prominent solutions include variable password generation, storage of browser-based and application-based credentials, password sharing with trusted contacts (e.g., colleagues or family members), and data import/export capabilities," Konopka said. "Check online reviews and be sure to only evaluate well-established vendors with mostly positive reviews."
Many password manager providers offer a limited capability free version, he noted, but even these free versions may be robust enough for some users. Understanding your organization's requirements and learning the difference between the free and paid versions to make an informed decision may save you some money.
If an organization doesn't require or provide a password manager, should employees be allowed to use their own for work-related applications?
"The best 'best practice,' as it applies to any software use, is for employees to follow their organization's policies and seek approval for installation or use," Konopka said. "Employees should never be allowed to install software without prior approval."
By requiring prior approval, your organization can assess the password manager's compatibility and compliance with relevant policies and regulations. Installing unvetted software can also lead to security vulnerabilities. Malicious software can compromise an organization's overall cybersecurity posture.
Password managers are designed with strong security measures to protect your stored passwords and sensitive information, but like any software or service, they are not completely immune to hacking.
"There’s an inherent risk in virtually everything we do, including using password managers," Konopka said. "However, foregoing a password manager can create even greater risks, such as insecure password storage, overly simple and easily guessable passwords, and reused passwords, all of which contribute to the potential for credential compromise."
The risks associated with password managers can be largely mitigated by good cybersecurity hygiene.
"Choose a strong and unique master password to protect your password storage," Konopka said. "Ensure that the password manager supports multi-factor authentication, and be sure to enable it. Select a trusted password manager with a good track record of providing strong and complete security. Taking these simple steps will significantly mitigate any risk of using a password manager."
Are browser-based password managers, such as those offered in Chrome and Edge, a good option for password storage?
"While browser-based password managers are convenient, they're not considered equal to a dedicated password manager," Konopka said. "Perhaps the greatest risk of a browser-based password manager is that if a malicious actor is able to compromise the user’s browser profile, the credentials saved to the browser may be exposed."
This is particularly concerning for individuals using other services available from the browser, namely email, as phishing is the number one vector for credential theft, Konopka added. Browser-based password managers don't always have encryption strength comparable to dedicated solutions, or offer some of the required or desirable features previously discussed.
Are there safe credential management options besides password managers?
According to Konopka, in a work environment, single sign-on (SSO) is the "holy grail of credential management."
"SSO allows authorized users (e.g., employees and contractors) to access resources—often seamlessly—with a single identity and enables the organization to control user access across network resources using a consolidated identity provider," Konopka explained.
SSO simplifies the user experience by eliminating the need to remember multiple usernames and passwords for different services. It also provides organizations with centralized control over user access, making it easier to manage and secure their digital resources.
"Where SSO isn’t an option, a password manager is the solution," Konopka said.
Are there any other password best practices for housing organizations to consider?
Strong passwords are long, complex, and unique, according to Konopka.
The U.S. Cybersecurity Infrastructure Security Agency recommends passwords of at least 16 characters. A complex password generally includes at least three of the four following elements:
- Uppercase letters
- Lowercase letters
- Numbers
- Special characters
A unique password is only used for a single resource. As is often the case, it's critical to keep your work life and personal life separate.
"Never use the same passwords between work and personal accounts," Konopka said, adding that he prefers passphrases over passwords. "Passphrases are inherently longer but easier to remember while still being complex and unique."
Passphrase examples (don't use these, they're just for inspiration):
- ILIkeIceCreamOnAnyDayThatEndsIn"Y"LOL!
- WhoElseThinksThe4thofJulyisthebestHoliday?
- WeReallyenjoyedVisitingCancun,mexicoIN2019.
Whether you're using a password manager at home or at work, consider using a passphrase for master access.
"Take advantage of the auto-generated passwords function available in a password manager to create long and complex passwords that are unique to each resource but all organized and accessible with your master passphrase," Konopka said.
Bottom line: While the password struggle is a common challenge, adopting a password manager offers a practical and secure solution.
Password managers simplify the online experience and significantly enhance digital security. By following best practices and making informed choices, you can ensure your online profiles at work and home are more secure and convenient than ever before.
Visit our Cybersecurity Center to access cybersecurity training and awareness resources curated for the public and affordable housing industry.
This article is for general information only. HAI Group makes no representation or warranty about the accuracy or applicability of this information for any particular use or circumstance. Your use of this information is at your own discretion and risk. HAI Group and any author or contributor identified herein assume no responsibility for your use of this information. You should consult with your attorney or subject matter advisor before adopting any risk management strategy or policy.
