Small business security requires a password manager
Passwords are, in many ways, a failure as a security measure. Weak and compromised passwords are one of the top ways that users, systems, and data are compromised. Think of the online accounts for your own small or medium-sized business and how much damage a criminal could do to you with access to them. Think about the damage an attacker could do with an administrator account on your network before you become the latest victim of ransomware.
In the meantime, users and businesses are compromised every day because of weak and breached passwords. You hear about password breaches all the time. Do you play Words with Friends (WwF)? In September, a hacker stole the user data for 218 million WwF users from Zynga, the company that makes it. You can find out if you were affected by checking Have I Been Pwned? (HIBP), a site that collects the data from such breaches to allow users to find out if they are affected. At the end of 2019, the total number of compromised accounts in the HIBP database was more than 9 billion, 5,081,613,319 of them in the 10 largest breaches.
Attackers take the credentials stolen from one service and use them to attempt to log into other services. This is called credential stuffing, and the consequences can be severe. Do you reuse the same username (probably your email address) and password on more than one site?
Better security measures than passwords are becoming available, but they have their own problems and don't work with every site users may need to log into. So, as a practical matter, most organizations, smaller ones in particular, will be stuck with passwords for some time. Then, the question is: What is the most secure—or least insecure, if you prefer—way to use them? The answer is to follow best practices, and the only practical way to follow best practices is to use a password manager.
Passwords the right way
Among the best practices—i.e., the things you know you should do but won't because they're really hard—are:
- Do not reuse passwords. Use different passwords for every website.
- Use relatively long and complex passwords like "8&TifWT4h6jS06" rather than easy-to-remember ones like "letsgomets."
- Make sure your passwords are not on any of the many lists of breached passwords.
It would be difficult for someone to do all of these things on their own. But with the assistance of a password manager, users can more easily follow best practices. A password manager is a program that runs on your computer or phone and keeps track of which usernames and passwords to use for access to different websites. They do more, but that's their main function. This YouTube video has a quick demo and explanation of what password managers do.
You can set up a strong password for the password manager, ideally in combination with a second factor like a one-time-password app or a security key. When your application, generally your browser, gets a login prompt from a site, the password manager notices, looks up that site in its database, and offers the username and password for that site. If you have more than one login for that site, it will offer all of them and let you choose.
The password manager database is strongly encrypted, both locally and in the provider's cloud storage. Typically, the provider does not store your password manager credentials, so if you lose the credentials, you have probably lost the whole database. This is a potentially disastrous outcome, but it is critical to making password managers secure enough.
For more on the basics of password managers, see an earlier story here on password management in enterprises.
Password managers began as and are still largely a one-user purchase, sometimes as a limited free version. But if you are responsible for the security of multiple users at a small or medium-sized business, you should look for an option that offers some management capability and a volume discount. Many password manager providers have versions for teams, families, and enterprises.
The products truly designed for enterprises will have tools inappropriate for small business and prices to match. A vague way to put is that if you have a professionally managed network, these products may be appropriate for you.
Below is a list of password management products that are targeted at business but don't have full enterprise integration. There are far more of these products than I expected, and I may have missed some.
- LastPass Teams
- 1Password Business
- RoboForm for Business
- Dashlane Business
- Keeper Business
- Zoho Vault for teams
- Password Boss for business
- StickyPassword for teams
- Bitwarden Teams
- TeamsID Business Password Manager
The main team feature these products provide is the ability to share login information with other users. They probably also allow an administrator to manage users. The administrator may be able to onboard new users, centrally manage shared items and who gets access to them, authorize and deauthorize devices, control access to features in the password manager, and more.
There may be a rights management system to control who has access to what, as well as levels of access. I won't attempt to document which products have each of these capabilities because that information changes over time, so you need to compare them yourself when it's time for you to decide.
And these are only the team features. There can be meaningful differences in price between the products, and you may find some easier to use than others. Though it doesn't compare team and other management features, PCMag does frequent reviews of password managers, including a recent roundup of 10 of them.
You may also have noticed that Google Chrome has a built-in password manager. In fact, it is a feature of a Google Account, which, for most people, is Gmail. If your organization uses G Suite, Google's cloud-based productivity apps, the administrator can perform a few management tasks, including:
- Require a strong password and set a particular strength level based on Google's password strength tool.
- Set a minimum password length.
- Allow or disallow the reuse of old passwords.
- Set a password expiration—i.e. the number of days after which the user must change the password. As explained below, this is no longer considered best practice.
Any team-based third-party password manager provides far more than this.
Security vs. usability
Once you have a system like this in place, you can start to implement the best practices described above. Almost all the products will perform analysis and generate a report on passwords in the repositories, showing duplicates and weak passwords. You can use this report to start making your business's use of passwords more secure.
It's important to appreciate that there is a general trade-off between security and usability, not just in technology but in life—you need only try to get on an airplane to understand this. As such, password managers don't make it easier to use passwords; they make it easier to use passwords securely.
All password managers can be a usability challenge for the average user. You may want to ease into the process by migrating logins into the password management system one at a time. You could also move different users at different times, allowing them to get used to the system while still being able to enter passwords the old-fashioned way. But to do so, you will have to put off the main objective of using a password manager—i.e., making your passwords more secure—because the logins would be unmanageable to users not on the password manager.
Why are password managers challenging to users? The biggest reason is that they don't always work. However, don't rush to judge the password managers themselves harshly. To fill usernames and passwords into login fields automatically, they need to do things that are not unlike things done by malicious software attempting to attack the user. Therefore, browsers and websites engage in defensive measures that often frustrate the password manager along with any real attacks.
I have this problem with my personal bank website, a very large and prominent bank. Autofill of the password field hasn't worked in years. I have tried two password managers for this, and they both fail. The workaround is not a bad one: You have to go to the password manager icon, either in the input field or in the extension bar for the browser, use it to copy the password to the clipboard, and then manually paste it. Not a big deal, but a minor pain, and it's just wrong. Because the bank's mobile app allows the use of fingerprints and facial recognition on the device, this problem doesn't exist on my phone.
A recent guidelines document from the National Institute of Standards and Technology specifically recommends that sites make an effort to play nice with password managers, but the message hasn't gotten through. (This might be a good time for you to check whether your Internet-facing systems allow your customers to use password managers without a hassle.)
Using a password manager will never be as easy as using passwords the old and insecure way; they come across as a pure burden to an unmotivated user. So, when you explain the plan to your users, you need to convey to them how important it is to the company that they take password security seriously and to heart. A change like that is at least as important as any technology you might implement and helps you get the most out of your security systems and procedures.
Password managers: Lessons for leaders
- Insist on best practices for passwords on your internal systems and your outside accounts with vendors and partners.
- Doing security right is hard if employees are unmotivated. Make sure employees understand how important it is to the company that they take security seriously.
- People can't use passwords securely using just their memory or Post-it notes. A managed system with all the core password management features is required.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.