With the rapid increase in data breaches and ransomware attacks, proper password and authentication management is vital for companies to protect their local and cloud assets.  But with that importance also comes increased complexity and the need to deal with more passwords than a person can remember.

There are many ways people attempt to manage their passwords.  We discussed several of those in a previous newsletter (see https://www.spotlink.com/blog/password-management-in-the-cloud-age).  But today, for business users, you really want to use a business password manager. This has several benefits:

  • Allows you to use a unique password for each site: It is common for most people to use the same password on several sites.  Hackers know this, and when a data breach happens on a website, they try that same username/password pair on other sites.  Some high-profile secondary breaches (e.g. the Ring.com attacks) have resulted from these type attacks.  With a business password manager, it is simple to use a unique password for each and every site.
  • Records passwords used by employees so they can be retained even after the employee leaves:  Many employees will memorize a set of passwords they use.  When they leave, especially on short notice, those passwords can be lost, requiring considerable effort to recover their accounts.  With a business password manager, the organization can access those passwords when an individual leaves the company, saving the time and effort of manual recoveries.
  • Automate logging into websites and applications, allowing for long and complex passwords to be used with ease:  One of the problems with using long complex passwords is typing them in when you access a site – leading people to use shorter, easy to remember (i.e. easier to hack) passwords.  But a business password manager can use a browser extension to automatically enter the username and password, making the entry almost effortless, while making it much more difficult for a hacker to break into the account.
  • Generate Multifactor Authentication (MFA) codes in the password manager rather than an individual smartphone:  The typical way to get MFA access is through a text message sent to the user’s mobile phone or by using an authentication app on that phone.  Use of the authentication app, while more secure and convenient, can be especially problematic because if the phone dies, the MFA access is lost if the authentication app doesn’t backup the key to generate the code (some do, some don’t).  But if the code is generated in the business password manager, you no longer have the single point of failure.  Moreover, if you share that password with a coworker, they too have access to the MFA code, so they don’t have to get the code from you each time they go to access the site.
  • Automatically generate secure, complex passwords:  Thinking up long, complex passwords is not simple for humans, but it is for a computer.  Business password managers use password generators to create complex passwords that can be automatically stored in your password database.

A couple additional important points:

  • Wherever possible use MFA!  According to a study by Microsoft, MFA can block over 99.9 percent of account compromise attacks.  So even if a cybercriminal gets your username and password, they won’t be able to access your MFA protected accounts.  Moreover, you’ll indirectly be notified if someone does attempt to use your username and password, as you’ll receive an MFA notification that you didn’t initiate.  If that ever happens to you, change the password on that account as soon as possible.
  • Avoid browser-based password managers (e.g., Chrome and Edge):  These are extremely convenient and easy to use.  Unfortunately, that ease also extends to hackers.  While they have become more secure in recent years, if someone can access your computer or your browser account, they can quickly download your store of passwords.  These browser-based password managers don’t use the strong authentication and tamper protection methods of business password managers.  If you use policy management for your business (e.g. Microsoft Group Policy or Intune) you can disable the use of browser-based password managers for all your computers.

All of this may be transitory, as the industry slowly moves to passwordless accounts.  But until then, business password managers are your best bet to keep your employee passwords secure. There are several good password management systems out there.  LastPass, Passpack, Keeper, 1Password are but a few in a very packed field.

At SpotLink, we use LastPass Enterprise because it is well suited to handle the thousands of passwords we handle, as well as offers both Single Sign-On and password database features.  Moreover, we can also provide this system to our clients to link our password database with theirs (but only what each client wants to share) so we both have up-to-date passwords for our shared usage.

If you are interested in password management system for your business, just reach out to us and we can go over the advantages for your specific business.  

Robert Hood
CEO & Founder
SpotLink