What are password managers, and are they safe for SMBs to use?

What do email addresses, cloud service accounts, online bank accounts, and Software-as-a-Service accounts have in common? Beyond being on the internet, they all require passwords.

Of course, creating and entering account credentials can be such a hassle that your employees are tempted to just use the same username and password for all of their accounts. This might make things easier, but once hackers gain access to one account, they gain access to them all. It’s therefore best to have unique credentials across all of your corporate accounts, but it's tricky for account holders to remember them all.

This is especially true when passwords are required to be of a certain length, contain symbols and uppercase letters, and have to be changed every month or so. Making passwords varied and complex increases the security of your accounts — easy-to-guess passwords such as “password” are in hackers’ databases, ready to be used in brute force attacks (i.e., attempts at guessing your password via automated entry) — but these become more difficult to manage the more your company grows. Is there any way for small- to medium-sized businesses (SMBs) to deal with all this password-fueled madness?

The answer to this is a resounding yes: just use a password manager.

What are password managers?

These are apps, plugins, and web extensions that let you securely store credentials for your accounts by first encrypting them prior to being sent to storage (be it in the cloud or on users’ local machines). Functions can vary from app to app, but most password managers share the following features:

• Account credential entry – pulls credentials from storage and enters them into the appropriate login form fields for the user.
• Password strength indicator – shows whether a password is weak or has been used before.
• Password action notification – sends notifications to users and admins if a certain action is performed on a password. Some of the more common actions that will elicit email or app notifications include:
• Password has been viewed
• Password has been reset
• Password has expired
• Password has been used in an unfamiliar device

Are password managers safe to use?

Yes…to an extent. As nothing is ever perfect, security flaws have been discovered in some of the more popular password managers. Earlier this year, a Washington Post article reported that flaws in the apps left master passwords (i.e., the keys that grant users access to their account credentials) in plain text form within the computer’s memory. This means that hackers who have access to your PC can steal your master password and gain access to all the credentials you’ve locked away.

However, the Post noted that, at the time of writing, there was no evidence of hackers rummaging through memories of PCs (they’ll have to either be where the PCs are located or use malware that takes over computers), and that the app developers have been addressing those holes in their security.

And, generally speaking, hackers prefer to exert the least amount of effort to obtain the largest possible gains. This means they’ll often cast wide phishing nets instead of targeting PCs individually — unless a machine belongs to a very high-value person.

In short, it’s still safer to use a password manager than none at all because the app will make hackers exert more time and effort in exchange for a smaller payoff — something that they are not prone to doing. Just have everyone in your organization take special care when setting their master passwords. If everyone makes theirs unique, commits it to memory, and never discloses it to anyone, then everybody’s credentials will be safe.

Using a password manager is just one piece of a complete cybersecurity strategy. To learn more about how you can develop such a strategy for your own business, talk with our experts at XBASE Technologies. Our Exponentially Better™ cybersecurity services are deemed best-in-class in Toronto and beyond.