Passwords are the keys to your digital assets: it’s how we access applications and data, as well as infrastructure and systems. Often they are characters we type in as part of a logon prompt, but they can also be hidden in code, as an application makes a call to other resources to carry out its tasks.
The management of passwords is a complex process for both operations teams and users. Unfortunately, that complexity often leads to poor password practices, making passwords a high-priority target for cybercriminals: they know that gaining access to the right credentials can give them the keys to an organization’s data kingdom. And that can lead to data breaches that compromise security, productivity, and reputation.
With the complexity of the challenge and the risk that poor password management introduces, you’d think that all IT leaders would have either found ways to address the problem or have it high on the priority list. But is that the case? Recently, I worked on the third iteration of GigaOm’s Enterprise Password Management report, and one of the things that struck me is that not everyone is taking this challenge as seriously as they should and spending time to understand why password management is hard and what tools are available to help.
Why Is Password Management So Complex?
Why is password management such an issue? There are a number of reasons.
- The volume of passwords that must be managed and remembered is at the heart of the problem. Users have dozens of passwords, each of which typically needs to be changed regularly, often with increasing complexity, resulting in poor password practice, like weak passwords, password reuse, and poor password security.
- Password management is tedious and time consuming. It involves dealing with forgotten passwords, discovering where there is risk, and defining and applying robust password policies. Moreover, policies and controls may need to be configured in multiple applications and systems, increasing the overhead further.
- Password policies are difficult to enforce. Organizations need to know how good their password policies are and where they are at risk. The distributed nature of passwords makes this very difficult to grasp and difficult to address.
- Password sharing is a common practice. When access is required to common entities—such as infrastructure, machines, and applications—for maintenance or other purposes, passwords may be shared by operations teams. Other teams may share passwords to marketing and sales tools, and users may need to gain access to resources in the event of another user’s absence. This creates headaches around practicality and security.
Benefits of Password Managers
Password managers can offer significant advantages to organizations. Benefits include:
- Storing passwords securely: These solutions provide a secure, encrypted vault into which all passwords can be placed, enabling easier and more effective management.
- Improving reporting: By bringing passwords under the control of one application, a password manager can assess the effectiveness and security of the passwords and whether they meet the organization’s policies. It can warn of potential risk and help guide users and operations teams to apply better controls.
- Centralizing policy management: With a view of overall password health, a password manager can help an organization to understand the types of policies it needs to deploy and provide a central location from which to apply them. Operations teams can also gain insight into how well policies are adopted and where there may still be risk when policies are not followed.
- Making the lives of users easier: Enterprise users often have to interact with a variety of systems and resources, potentially requiring a number of passwords for access. The use of a password manager obviates the need for multiple passwords, or at the very least, it makes using them less onerous. Password managers take the complexity out of password generation and ensure passwords meet company policy. Though enterprise password managers are typically more concerned with work-related security, some provide users with access to personal password vaults, which enables them to improve password security for themselves and their families.
Challenges of Password Managers
Despite the obvious advantages of password managers, there are potential issues to consider.
- Eggs in one basket: This is a common concern and not unfounded: with all of an organization’s credentials in one place, compromise could be devastating. The security of the vault is hugely important, requiring robust access controls, vault encryption, resilience, and protection. Keep in mind, though, that the risk of the password manager being breached may be less than the impact of poor password management practices.
- Change is hard: As with most changes, the move to a password manager can be difficult, typically requiring organizations to mandate change in policy and user interaction with passwords and applications. IT leaders will not only need to gain leadership buy-in to password managers but also help users to effectively use them to improve the organization’s security and their own experience. This will take time and effort—but probably less time and effort than recovering from a breach caused by poor password practices.
- Questioning the likelihood and risk of a breach: Password theft is still one of the most common ways cyberattackers gain access. It’s why phishing attacks remain so prevalent and why there is such an investment in their continued evolution. The dozens of passwords, held by hundreds or even thousands of users, across their personal and business life, all present a potential security risk. It only takes one password breach and a bad actor can gain access to sensitive applications and data.
Without a doubt, password management is hard, and finding ways to address it is critical. If you’ve never considered adding a password manager to your security arsenal, go check out some of the vendors in the space and see what they can do for you.
Next Steps
To learn more, take a look at GigaOm’s enterprise password management Key Criteria and Radar reports. These reports provide a comprehensive view of the market, outline the criteria you’ll want to consider in a purchase decision, and evaluate how a number of vendors perform against those decision criteria.
If you’re not yet a GigaOm subscriber, sign up here.