Password Manager Hesitation
As we work with clients, we’ve noticed that some are hesitant to push out information about password managers to their employees and in this post, we explore why. In security awareness, it’s so important to not only make average users aware of the security rules, but to also explain HOW to adhere to these rules so that they’re less likely to use workarounds. For example, if you have password complexity requirements (at least 10 characters and three of four of these: uppercase, lowercase, numbers, symbols, changed every 60 days), your user population may push back unless you also provide advice on how to create passwords that adhere to the rules (see our Strong Passwords Using Phrases). And of course, password managers can help solve the major issue/requirement of using a different password for every site/service.
Here are some reasons we’ve heard as to why password manager advice should be skipped when educating employees on cyber awareness.
We don’t allow password manager software to be installed on computers.
Most workplaces do not allow users to install their own software (for good reason). Therefore, one underlying fear about educating users on password managers may be that it creates demand for organization-funded software (and resources may not be available for this purchase).
We don’t have a password manager solution for staff.
Translation: informing employees about password managers (which we don’t provide) would cause confusion. Employees may buy/acquire their own software and what they pick may not be adequate or secure. Worse, employees may seek help from the technology help desk for a product the workplace doesn’t support.
We would have to train people on how to use password managers.
Password managers are software. Therefore, user training would have to be developed. If the workplace provides a password manager, creating this training makes sense. Otherwise, with the myriad of choices out there, an organization may just decide not to confuse their employees with multiple training guides.
Workplaces should keep in mind that employees may already be using some form of a password manager. This could be a pen and paper, a built-in phone/browser app, or a password manager in the cloud. Even more concerning, they may be REUSING passwords in an effort to minimize the number of passwords they have to track.
If employees utilize third party apps, password reuse is likely to be a problem. If workplace applications that house important data are vulnerable to credential stuffing, you may face unauthorized access in the future.
What’s a Workplace To Do?
We recommend surveying users (where responses are anonymous) to see how many work-related accounts (requiring passwords or passcodes) they have, whether they are reusing passwords, and whether they store those passwords and how. This can be eye opening in terms of the reality of day to day operations. After all, it’s impossible for the tech department to intimately know the workflow of each department. A survey will provide more data and maybe even uncover some shadow IT.
Next, do an assessment of the authentication and security measure of systems with the most important (sensitive, regulated) data. Is that system vulnerable to brute-force attacks? Is it vulnerable to credential stuffing because it doesn’t detect suspicious login attempts? Does the system have a required second login step? Are there third-party integrations that would expose data if those systems became compromised?
Providing users with solutions that make them more secure overall, whether in their professional or personal life, is ideal. If you can put more technical controls in place on systems with very important information, you should. If you find that requiring a unique password is one of the controls you have to use to secure important information, perhaps you should allow people to manage passwords even with BYOD (bring your own devices).
No solution is perfect, but here at Cyber Safe Workforce, empowering people to make smart choices when it comes to information security is our goal. If you can provide people with information about password managers, even if only in the context of their personal lives, please do.