Passwords are a part of life. Most people have accounts that cause them to juggle several different passwords everyday. For the security of the user, it’s recommended that each account have their own password. It’s because of these multiple passwords that the concept of a password manager is extremely inviting. Simplifying your life by only having to remember a single password, while all of your stored accounts have different passwords is the best of both worlds! Or is it? What if your password manager password is stolen? How safe is using this type of security software?
The popular antivirus manufacturer Trend Micro has recently come under fire for having a major security flaw that allowed stored passwords to be stolen from users with a simple execution of code. Trend Micro’s Password Manager application was accused by Google for taking measures to circumvent Google Chrome’s malware check features to improve search results. Upon further scrutiny by Google’s security team, Trend Micro’s password manager was found to put its users at risk. Trend Micro’s team quickly released a security patch and the issue has been repaired but that brings up the point that password storage has its own vulnerabilities.
Trend Micro’s vulnerability comes on the heels of an attempted breach of LastPass, another major player in the world of password managing software. While accounts stored password vaults were not breached by the hack, account information such as emails and password reminders had been compromised. LastPass suggested that users update their master password to keep their vault of stored passwords as secure as possible.
One of the most important things that a CIO can ask is whether password managers are a necessary concern and which is right for their company. Security software, especially one that will hold passwords, needs to be part of a carefully crafted solution, customized for your businesses needs. Not all software is the same, and here are some features that you may want to consider when selecting your enterprise’s password solution.
- Tracking/Logging of Sign-In and Attempts – When you’re overseeing an organization’s technology, security is going to be one of your main concerns. An important facet of a password manager is the ability to track and log authorization attempts and successful logins. Alerts to unusual activities is a capability of some password managers, as well as seeing a summary of current logins across the entire enterprise.
- Multifactor Authentication – By having multiple-factors in their authentication, a password manager requires two or more of the following: a knowledge factor (“something only the user knows”), a possession factor (“something only the user has”), and an inference factor (“something only the user is”).
- Administrative Controls – With the relatively high occurrence of data breaches from someone inside an organization, or a former employee who is able to access the data, it’s critical to have the ability to control users, passwords, capabilities and more. These types of administrative controls aren’t standard on all password managers.
- Regulation or Compliance Enabled – For companies that are required to meet certain technology regulations, it’s important to make sure that the password manager you select has the proper regulatory and audit report capabilities. Not only must they meet the security standards set in place, but you must be able to prove it in the event of a breach or an attempted breach.
Password managers are just one of the things a CIO or IT Manager has to consider. While employee’s lives are easier without having to remember a password, it’s important not to compromise your company’s security. How do you handle password management applications?