One cybersecurity solution that is becoming widespread for both businesses and individuals is password management. Password managers are applications that store and defend passwords for online accounts. They can help protect against some of the most damaging economic consequences of a cyberattack. A good password manager will generate strong, unique passwords for each company account. By making it difficult for criminals to obtain sensitive data, password storage solutions serve as the first line of defense for a modern organization.

Cybersecurity experts strongly recommend using a password manager to safely store account information. Businesses, governments and other large organizations are especially advised to install password managers on all connected devices, including desktops, laptops, tablets and smartphones. Because they create and store value, these institutions are often targets for cybercriminals. By ensuring the security of their accounts, they can reduce the chances of a crippling cyberattack.

Why Password Storage?

In the connected workplace, businesses often rely on dozens of online accounts. It can be difficult to keep track of login credentials to a handful of accounts. That difficulty increases the likelihood that people will cut corners on cybersecurity, leaving themselves and their companies vulnerable to a cyberattack.

There are two primary ways that people cut corners when setting up and recording login credentials without a password storage solution. The first is credential sharing. This occurs when people use the same username or the same password for a number of different accounts. Credential sharing makes it easier to remember one’s login credentials, but it leaves organizations vulnerable to threats. The other way that people cut corners on the creation and documentation of their login credentials is by setting up weak passwords. Weak passwords are simple and thus easy to remember. However, by putting convenience over cybersecurity, people invite cyberattacks.

It is theoretically possible to create and record a number of completely unique, complex user passwords for accounts. However, this process is cumbersome because it requires users to keep the physical, paper records of their credentials on them at all times. In a larger organization, the chances that someone forgets their unique password paper at home on any given day are quite high.

Password storage solutions arose as a way to ensure the security of sensitive credentials without creating an inconvenient burden on business operations. Organizations that regularly use multiple devices can use one password vault that syncs multiple passwords across devices.

kc-whitepaper-cover

Identity & Security: Addressing the Modern Threat Landscape

Download the Identity & Security: Addressing the Modern Threat Landscape whitepaper to find out how cybersecurity and IAM have evolved to protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape.

Download Now

Password Managers Defend Against Cybersecurity Threats

Password storage is a necessity in the connected workplace. Businesses that do not have a secure password manager are vulnerable to a number of cyberattacks. Among them are credential stuffing and password spraying.

Both credential stuffing and password spraying belong to a class of cyberattacks known as identity-based attacks. As the name would suggest, these attacks operate on the basis of the target’s identity, which includes username and password credentials. According to the CrowdStrike Falcon OverWatch™ threat hunting team, some 80% of breaches are identity driven. This makes password storage an important facet of any solid cybersecurity strategy.

In credential stuffing, a cybercriminal steals login credentials from one system and tries to use them to access an entirely different system. This tactic is popular because people often use similar credentials across a number of accounts. For example, an individual may be tempted to use the same password to log in to their bank account, credit card and social media account. While this approach makes it easy to remember one’s login credentials, it also creates a security risk. It is imperative that every account has a unique password to avoid credential stuffing.

Credential stuffing has become more popular in recent years as tens of billions of usernames and passwords have been stolen or leaked. Another factor that has accelerated the use of credential stuffing is advancing technology. Bots can fairly easily be programmed to practice credential stuffing. Finally, the shift to remote work during the COVID-19 pandemic has caught many companies off guard, without a solid footing in cyber best practices.

Password spraying is a somewhat different tactic. In password spraying, a threat actor tries to access multiple accounts on the same application with a single password. A threat actor is a person or organization who sets out to cause harm in the digital sphere. Threat actors have developed the “spraying” tactic because it allows them to avoid account lockouts.

If a threat actor were to try to input many different passwords to access one account, they would be locked out. However, by “spraying” many different accounts, they can get around this obstacle. This form of the brute force attack, a trial-and-error approach to discovering login credentials, is particularly successful against businesses that practice password sharing.

Password storage solutions can help protect businesses from both password spraying and credential stuffing. Though it can be difficult for every employee of a business to keep track of numerous, entirely unique credentials, a password manager can do this work for them. By ensuring that there is no overlap between passwords, the application makes credential stuffing impossible.

Password managers are also useful tools in the defense against password spraying. A solid password storage solution will be able to enforce strong and complex passwords that defy guessing. IT teams can also defend against these attacks by setting up login detection and implementing strong lockout policies.

Different Types of Password Managers

Because they only require one set of credentials for employees to log in to multiple accounts, password managers are one type of single sign on solution. Single sign-on, or SSO for short, is widely used by individuals, businesses and governments because it offers unparalleled convenience. However, not all SSO solutions are secure. The same is true of password managers.

There are a number of different password managers available on the market. Each comes with its own array of features. While some are of secondary importance, others are absolutely critical for cybersecurity. By choosing the right collection of features, businesses can ensure that everyone has a strong password. The best password manager is one that offers a business the features it needs at an optimal price.

Encrypted vs. Unencrypted

Encryption is an absolute must for any password manager. No password storage solution is worth anyone’s time or money unless it uses strong encryption. The password vault of the manager needs to be encrypted, or it will do more harm than good by making it easy for a threat actor to obtain all of an organization’s passwords in one fell swoop.

Integrated vs. Standalone

A number of password managers offer full integration with web browsers as plugin tools. Browser integration is desirable because it offers automatic form filling on websites, doing away with the menial credential entry work that can make logging in a headache. Yet browser integration can also create a cybersecurity risk, so it must be evaluated on a case-by-case basis.

Local versus Cloud

Cloud-based password managers are widely regarded as being superior to local password managers because they make it easy to sign in to an account from any device. A local password storage solution will only work on one device, limiting its utility in the modern workplace.

As with browser integrations, cloud-based tools come with their own unique vulnerabilities. Generally speaking, a well-encrypted local password manager will be more secure than a well-encrypted cloud password storage solution. Businesses must weigh the balance of convenience and security that is right for them to choose the best password manager.

Password Generation

Password generation is another valuable feature for any password storage solution. A good password generator will be equipped with an algorithm to generate random passwords. Companies can rely on password generation to eliminate weak passwords and ensure that their credentials are secure with strong, unique passwords.

Although it may seem impossible, random password generation can result in predictable patterns. That is because some random password generators use pseudorandom algorithms. This can make it risky to use some online password generator tools. Cybersecurity experts recommend either using an open-source password generator, which is more secure because it can be audited by anyone, or using a password manager that can verify that its algorithm generates a truly random password.

Multifactor Authentication

Multifactor authentication, or MFA for short, is the norm in industries such as finance, health care and law enforcement. In fact, everyone who has ever used an ATM has used multifactor authentication because the combination of the card and pin code count as two different forms of verification to access a bank account. This feature is a must for a secure password storage solution.

Password storage solutions may be customized to require MFA when employees try to access particularly sensitive company data. While MFA cannot guarantee the security of vital assets, it represents a big obstacle for threat actors to hurdle.

One form of multifactor authentication, biometric authentication, is becoming increasingly important for organizations demanding the highest standards of cybersecurity. Biometric authentication might include such things as eye scans or fingerprints, and it is difficult to evade.

Learn More

Gaining credentials allows attackers to impersonate the account owner and appear as someone who has legitimate access, such as an employee, contractor or even a third-party supplier. Learn how MFA can strengthen user authentication.

Blog: Credential Theft: An Adversary Favorite

Storage Options

Password storage solutions also have differing storage options. Large organizations require unlimited password storage to prevent a data breach. It is crucial that every saved password used by an employee is securely stored in the password vault. Having the possibility to generate and use unlimited passwords on multiple devices will help protect against a data breach.

Benefits and Risks of Using a Password Manager

Password managers promise to marry security and convenience. By generating a set of complex passwords, they ensure that every company account has solid password security. By storing every password under one roof and automating the login process, they minimize the amount of work that employees need to do. That sounds like an ideal compromise.

However, password managers are not without their own set of risks. Some security experts worry that they may create a moral hazard issue by making it seem like employees do not need to concern themselves with security. In fact, every employee who signs on to a corporate account should make it their business to contribute to the defense of vital company assets.

Moreover, cybersecurity specialists point out that companies are the prime targets of cyberattacks and that the centralization that makes password managers so convenient also makes them a valuable prize for threat actors. Though it is cumbersome, they argue that only a pen-and-paper approach to secure password storage is free of cyber risk.

It is certainly true that there is no password manager that does not carry risk with it. For that reason, cybersecurity experts recommend the use of multifactor authentication for the master password of a password manager. MFA can help to ensure that even if a threat actor obtains the password, they will be unable to access the account.

All password managers have their limits. If a threat actor discovers login credentials and can physically access a device, then no password storage solution will be able to keep data safe for long. That is why physical security is an important component of any cybersecurity strategy.

What to Know about Browser-Based Password Managers

Every major web browser offers a built-in password manager. These solutions are certainly convenient, and most of them automatically fill out forms for users. However, they also lack the strong security protections that are a must for any company looking to ensure the security of vital information.

For example, the password storage solution offered by Google Chrome and Microsoft Edge stores unencrypted passwords to the device’s hard drive. This means that any threat actor who accesses the hard drive will have access to every password a business uses. Unless the hard drive is itself encrypted, then these tools create serious vulnerability to cyberattack. The Chrome password manager and Edge storage solution may store strong passwords, but they cannot protect them against cyberattack effectively.

Some browser-based password managers, such as the one offered by Mozilla Firefox, do offer encryption. But Firefox’s manager does not have a password generator, which can leave businesses with weak passwords. Moreover, it doesn’t sync across platforms because Firefox won’t sync on iOS devices. Since remote work is likely to be an integral part of the business landscape for years to come, that can leave a major gap in security.

Setting Up a Password Manager

Password managers are fairly simple to set up. The most important part of the setup process is the master password. Since this holds the key to all of a business’s account information, it is absolutely crucial that the master password is complex. A complex password can be obtained with a random password generator tool.

It can be a good idea to store the master password the old-fashioned way, on a piece of paper. Multifactor authentication is recommended as a best practice for logging in to the password manager. In some cases, biometric authentication may even be the right choice for the master password. That way, even if a threat actor accesses the master password, they won’t be able to view valuable company secrets.

However, it is important to note that sophisticated threat actors have found ways to bypass MFA. For example, a study from CyberArk Labs found that sensitive data can be extracted from the Chrome browser’s memory. This can only be done if the actor has access to the device running Chrome, so a lapse in physical security is required for it to go through. Still, the possibility is worrying because it means that if one device is misplaced or lost, a sophisticated attacker can gain access to other devices, even if those devices have MFA.

The next step is to use the secure password storage solution’s password generator to change every weak password to the best password possible. All business accounts should be protected by robust credentials. Many secure password storage solutions offer a built-in security evaluator that will rate the strength of passwords and recommend changes where appropriate.

Due to the popularity of credential stuffing, no passwords should be shared across accounts. Password storage solutions should be able to review user passwords to identify and update any duplicates.

In addition to storing sensitive login credentials, many password managers can be used to store data such as credit card numbers. Encryption ensures the security of these important assets. Businesses may decide to utilize these functions to streamline the use and sharing of information.

Because mobile devices are an integral part of the connected workforce, it is important to set up the password manager on any device that will be accessing company information. Phones and tablets can act as gateways into multiple accounts, so employees shouldn’t be left to record credential info on their own, lest they use an unsecure method for doing so.

Venu Shastri, a seasoned Identity and cybersecurity product marketeer, serves as Director, Product Marketing at CrowdStrike for Unified Endpoint & Identity Protection. With over a decade of experience in identity, driving product marketing and management functions at Okta and Oracle , Venu has a US patent on passwordless authentication. Prior to his identity experience, Venu had co-founded and drove product management for an enterprise social software start-up. Based out of Raleigh, NC, Venu holds an MBA from the University of Santa Clara and Executive Certification from MIT Sloan.