Blog WatchGuard

Not decided about adopting a corporate password manager? I’ll give you 9 reasons to do that

Teaching about password security in the early 2000s would usually start with a question to the audience: how many of you have up to 10 passwords to remember? How about 25? Anyone with more than 50? Today I usually start with “how many credentials do you believe to have still active? Less than a hundred?” 

It’s interesting how it builds up. Many people won’t even realize how many credentials they decided to store in their browser, when asked for. Could be a credential used many times a month, or maybe that one you had to create in a store you bought in only once but needed to track your order. The fact is that it’s almost impossible to know. If you usually save your credentials within the browser, you might learn about it. And if you are infected by a malware that could steal your browser credentials, like the recent BlackGuard malware, or someone gets access to your email – the most-used method to reset passwords - your digital life is done! 

Password managers can help you better control your credentials, especially if you think in terms of corporate use. Not sure about it? Let’s look at some areas where it can help mitigate password-related issues: 

  1. Password sharing: You may easily share over the phone a password such as “football123”. Now try to share “tNNi^M$E*@Ep7LD&”. Not that easy, right? This could help prevent intentional sharing or through social engineering. 

  1. Reuse of corporate password for personal applications: The company made me create a new password, with caps, letters, numbers, and special chars. I use my creativity and use “Football@123.” But since I have this nice, secure password, why not use it in other places? Maybe my TV streaming service, which I share with my daughter, who shares with her boyfriend… Remember, you don’t have control over passwords outside the company. In this example, your daughter’s boyfriend has your company credentials. A complex password is nice but try entering “tNNi^M$E*@Ep7LD&” in your smart TV. 

  1. Same password for everything: Users can memorize a few passwords, maybe 3 or 4. The rest are just variations. I’m not different. Users will try to use the same password everywhere, maybe with some small variations. A corporate password might be floating in dozens of uncontrolled accounts. Password managers will train the user to create a different password everywhere. After all, it will create it for you and fill it out during the authentication. 

  1. Credential leak in the dark web: I’ve been a LinkedIn user for quite a long time, and they had leaks at least a couple of times, and so my credentials ended up in the dark web. If this happens to you, there’s nothing you can do about it except reset your password. The problem is that it can take time for you to realize it happened. It’s not your fault, the company you have an account with was unfortunately attacked. Your password – which you probably use for dozens of other accounts – is now exposed. But wait, most websites will not store your password completely open, they will use a hash of your password. So attackers still need to crack the passwords. If you have an easy one, even a combination of words, there is a high chance it will be cracked. A long and complex password cannot be hacked with the current computer power. So even if a leak happens, a password generated by a password manager will most likely be protected. 

  1. Easy-to-crack passwords: There are attacks such as password spraying that will use simple passwords. Other attacks, using dictionaries for longer passwords, can be quite effective to crack easy passwords. Passwords hashed including salt – an additional variable – can be cracked with multiple letter/number combinations up to 8 characters only. Passwords with up to 12 characters and regular hash can be usually crack with no problems. Passwords with 16 characters, like the ones generated by the password manager, can’t be cracked with multiple combinations. 

  1. Shared admin passwords: Companies have sometimes shared credentials, like an administrator password that is shared among all the IT admin staff. Even when complex passwords are used, how do you make sure they are not exposed? In a recent attack, hackers found a company spreadsheet containing multiple admin credentials. Jackpot! Corporate password managers will most likely have the ability to securely share passwords between individuals, and always store them in a vault. 

  1. Password exposure for MSPs managed accounts: MSPs will always have admin credentials used to access their managed accounts, one or more per account, shared between groups of MSP technicians. The leak of those credentials could be a disaster for an MSP, exposing their managed accounts to the risk of remote connections and spreading ransomware. Password vaults can be very effective in those situations. 

  1. Corporate applications with no MFA support: Most serious business applications will support MFA, usually through SAML protocol, which creates a trust relationship with an identity provider. Some might have their own MFA solution. But there are still a huge number of applications that don’t understand much about the need for MFA. Companies like Salesforce not only support but are enforcing them since February 2022. But for applications not supporting it, the least you need to do is make sure the credentials are unique and not reused. Password managers won’t help in every situation, such as a phishing website. But they can drastically reduce the exposure. 

  1. Password carelessness by users: User training is always important, to protect against phishing attacks or even speaking a password over the phone, because the person at the other side of the line said they are from your bank and need to unlock your credit card. Password managers can be really effective helping train the users, make them understand the importance of keeping a password safe, and reducing the chance of using it in dangerous situations. 

You might ask now: what about passwordless authentication? This is a growing trend, but there are just a very few situations where you can use it. Logging in to your computer with your face most likely won’t help you log in to other websites. Changing your mobile phone app login to your fingerprint creates a great user experience but can’t be used if you need to log in through your computer. 

The fact is, passwords are not going away, and until there is a solution that covers all the cases in the company, password managers can be effective mitigating those risks. Think seriously about this use. We’re thinking, and we will have some news soon in this matter to announce!