One of the most dangerous workplace cybersecurity vulnerabilities is also one of the easiest to avoid. Managing a wide range of passwords can be overwhelming for employees, so they often opt to write their passwords down on sticky notes and leave them on their desk or tape them to their computer. This makes those passwords ripe for compromise by threat actors who manage to infiltrate the company facilities, or by insiders who casually walk past a co-worker and perform a shoulder surfing attack to get their passwords.
Luckily, Password Managers have emerged to combat both the difficulty of password memorization and the vulnerabilities posed by writing said passwords down on paper. A Password Manager is a special piece of software that allows a user to store all their usernames and passwords in a secure, encrypted vault. This vault is sealed with one master password set by the user. Now, the only password the user needs to memorize is the master password to their vault. After unlocking their vault, users can browse to their necessary company resources and have the Password Manager autofill their stored username and password for the resource. This functionality can provide an excellent boost to workplace efficiency.
Password Managers typically come in two forms. One is a desktop program that is installed and managed from the user’s PC desktop. The other is a browser extension that is installed on the user’s choice of web browser and managed from the extensions section of the browser interface. The latter is the more common implementation. Some Password Managers can be completely offline, installed directly on the user’s PC, and completely isolated from any storage on the Internet. This can be a comforting feature for users who don’t want their passwords stored on a third party’s servers. That skepticism is not at all unfounded, as some major Password Managers have experienced breaches in the past that exposed their customers’ personal passwords. Perhaps the most famous incident involves LastPass, a major provider that was hacked in 2022, resulting in the breach of an estimated 30 million customers’ passwords.
Complete, blind trust in a Password Manager is not appropriate. Your organization’s cybersecurity team should meet and discuss the pros and cons of implementing third-party password managers. Many find that the risk is acceptable in exchange for the workplace convenience of easy password storage. Once you and your team have decided whether to implement a password management solution, make sure to find one that is financially and technically feasible for your business environment. It's always a good idea to consider the reputation of different solutions.
After implementing workplace Password Managers, perform regular usage audits to ensure stable functionality and responsible usage by employees.