How to manage passwords in your business: tips for choosing a password manager

Matt Meakins

Monday 30 June 2014

Data security is critical for any business, and airtight security requires more passwords, which means more to remember. That’s where a good business-grade password manager can help. Here’s how to choose a password manager that’s right for your business.

Why do you need multiple passwords?

When eBay fell victim to a recent cyberattack and exposed the accounts of 18 million UK-based users, the security breach made headlines and demonstrated that any business is at risk of being hacked.

Virtually all online services and businesses use some form of password protection, which means users’ passwords can potentially fall into hackers’ hands during a cyberattack.

It’s bad enough when it affects data on the service that was targeted in the attack, but the damage is significant if the same password is used for other services – such as the company’s social media accounts or a cloud service that stores critical business data.

It’s a dilemma – the more airtight you want your security to be, the more passwords you’ll need to use and manage. This is why a password manager, which stores all the passwords in a secure ‘vault’, is a necessity. But what should you be looking for when choosing one for your business?

Store passwords locally or remotely?

If you are only going to access the password manager from one device or office location, your safest bet may be to keep all of your passwords locked in a secure local database.

However, many businesses are adopting flexible working arrangements driven by mobile devices and a global marketplace. Therefore, password managers must be accessible from any location. Several leading vendors have stepped in to meet this demand and are offering password management tools that store password data in the cloud.

This approach does come with risks. One breach of the cloud service could potentially put all of your passwords in the hands of hackers. To avoid this, some vendors have adopted an array of security measures to foil intruders. When choosing a provider, check if they can also offer:

  • A highly-secure ‘master’ password known only by the end user
  • SSL-based data transfer between all devices and the password repository
  • Encryption of your passwords locally on your PC or device before they are uploaded to the cloud, using a highly-secure protocol such as 256-bit AES

A cloud-based provider might also suffer hardware problems or other technical issues. They could even go out of business. So it is also good practice to regularly back up your password data, locally or to a different location.

Reduce lockout times as much as possible

Password managers will generally allow configuration so that users will be locked out after an idle period. This prevents non-authorised users from accessing the password vault – especially important if the password manager is being accessed via a mobile device. The timeout period should be made as small as possible, without interfering with users’ ability to access the tool efficiently.

Switching between password managers

There may come a time when your business needs to switch to a password manager that is more powerful or secure. So make sure that your existing password manager can export its password data in a standard format that can be interpreted by other vendors’ tools, and that any exported data can easily be deleted when no longer required.

Even the best password manager is only as good as your own security policies. Include randomly placed letters and numbers in your passwords to protect them against ‘brute force’ attacks and change them regularly. A forgotten password is, after all, much less of a security risk than a stolen one.