Password Managers SHOULD be implemented and utilized by all business personnel, and training on their secure usage SHALL be provided if implemented.
Managing a wide range of passwords can be overwhelming for employees, so many of them opt to write their passwords down on sticky notes and leave them on their desk or tape them to their computer. This makes those passwords ripe for compromise by threat actors who manage to infiltrate the company facilities, or by insiders who casually walk past a co-worker and perform a shoulder surfing attack to retrieve the passwords.
Password Managers have emerged to combat both the difficulty of password memorization and the vulnerabilities posed by writing passwords down on paper. A password manager is a special piece of software that allows a user to store all their usernames and passwords in a secure, encrypted vault. This vault is sealed with one master password set by the user. The only password the user needs to memorize is the master password to their vault. After unlocking their vault, users can browse to their necessary company resources and have the password manager autofill their stored username and password when they authenticate to resources. This functionality can provide an excellent boost to workplace efficiency.
Password managers typically come in two forms. One is a desktop program that is installed and managed from the user’s PC desktop. The other is a browser extension that is installed on a user’s choice of web browser and managed from the extensions pane of the browser. The latter is the more common implementation. Some password managers are completely offline, installed directly on a user’s device, completely isolated from any storage on the Internet. This can be a comforting feature for businesses that don’t want their employee's credentials stored on a third party’s servers. That skepticism is not at all unwarranted, as some major password managers have experienced breaches in the past that exposed their customers’ personal passwords. Perhaps the most famous incident involves LastPass, a major provider that was hacked in 2022, resulting in the breach of an estimated 30 million customers’ passwords.
Putting blind trust in a password manager is not appropriate. An organization’s senior management should meet to discuss the pros and cons of implementing third-party password managers. Many find that the risk is acceptable in exchange for the workplace convenience of easy password storage. Once they have decided whether to implement a password management solution, the business should ensure that a product is selected that is financially and technically feasible for its environment. The reputation of different password management products needs to be carefully vetted and compared with competitors. A history of breaches is a concern that should raise concern. If a solution is chosen, businesses must ensure that their workforce is carefully trained on the appropriate use and maintenance of individual password managers. The business must regularly review and monitor password manager use so that noncompliance with appropriate standards is caught and addressed.