What Are Password Managers and How Do They Work?
Like many people, you probably start your workday each morning by logging into a computer with your username and password to get access to your company network.
Then you start up email and enter your credentials for that program. And every time you launch an online or SaaS application, it asks you for yet another password.
How do you manage it all? Maybe you’ve gotten good at memorizing your passwords. Or maybe you write them down in a secret notebook that you hope never gets stolen, wondering if there’s a better solution.
What is a Password Manager?
If you find it challenging to keep track of all your different account passwords, you’re not alone. According to Pew Research, more than a third of Americans say that they have trouble managing passwords and feel concerned about the security issues this might raise.
A password manager is a software utility that makes it safer and easier for you to access your user accounts by storing your passwords in a secure digital vault. Instead of memorizing dozens of passwords, you only have to remember a single master password to access the password vault if you want to view or update your credentials.
Some password managers will auto-fill login fields on a website with your saved credentials so that you don’t have to waste your time keeping track of which password goes with which online account. To assist with the recommended security practice of changing passwords frequently, some software can also generate long, complex passwords upon request.
Why Do You Need a Password Manager?
Passwords serve as the first line of defense against cybercriminals. If hackers crack one of your passwords, they can gain control of your user account, which can lead to serious consequences like stolen information and identity theft.
It’s bad enough to have one’s personal account hacked, but if you work for an organization, the security concerns only multiply. Cybercriminals can potentially infiltrate a company’s entire network through a single weak password, stealing sensitive information about your business and your customers.
If left unchecked, the cyber attackers may even hijack your IT infrastructure, rendering your systems useless and your business non-operational. Needless to say, you would be facing steep costs of both time and money to get your technology infrastructure up and running again.
So the simplest and most essential way to protect your systems, network, and data from cybercriminals is by ensuring that everyone at your company adheres to a strong password policy at all times. But this is easier said than done. Here’s why:
Many User Passwords Are Weak and Inadequate
According to guidelines put forth by the National Institute of Standards and Technology (NIST), a strong password should contain between eight and 64 characters drawn from the entire range of ASCII characters.
Many IT security professionals recommend that passwords contain a complex mixture of uppercase, lowercase, numeric, and special characters (like !@#$) that cannot be easily guessed by a human or computer. They also recommend changing passwords frequently (such as every six months) and not using the same password for multiple accounts.
Yet most people find it hard to stick to these recommended guidelines. Instead, they fall back on insecure practices that invite password theft, such as:
- Using simple passwords that are easy to remember and guess, like words that can be found in the dictionary or numbers that obviously correspond to addresses or birthdates
- Using the same password for multiple accounts
- Storing passwords in an insecure way, such as on a sticky note or in a notebook left in plain view
Cybercriminals Can Easily Crack Weak Passwords
Weak passwords leave the door open for hackers to launch their attacks. Here are some of the common techniques that cybercriminals use to steal passwords:
- Brute force, in which the attacker exhaustively tries every possible password combination until hitting upon the one that works
- Physical theft of an insecure password vault, such as a written notebook or sticky note
- Keylogger surveillance, where the attacker uses keystroke logger software to detect a password as the user types it on a keyboard
- Acoustic keyboard monitoring, where the attacker eavesdrops on the distinct sounds produced by specific keystroke combinations and deduces the password being typed
- Phishing, which involves sending communications that entice unsuspecting users to type their login credentials into a bogus account
To defend your business against cybercrime and password theft, you need a password manager.
How Does a Password Manager Work?
A password manager consists of two components: the password manager application and the password vault.
Password Manager Application
This application is the software interface that lets the user view, control, and modify their password manager settings. The software can be installed and accessed on the user’s local device, like a desktop computer or smartphone.
A password manager application can also be hosted and installed in the cloud. In this case, users enjoy the advantage of being able to access the password manager from any location using any device of their choosing. This can prove convenient to users who work remotely, engage in business travel, or are otherwise unable to access their physical office equipment.
Many web browsers, like Chrome and Internet Explorer, have a built-in password manager app that offers to remember your passwords as you surf through different websites. However, some experts caution that browser-based managers contain inherent vulnerabilities that leave them open to cybercrime. They recommend using a dedicated password manager instead.
The password vault is the database that stores your passwords.
For enhanced security, the best password managers will encrypt the passwords in storage to prevent cybercriminals from stealing them. Since password vaults are full of critical information, they themselves have become prime targets for hackers.
A password vault can be located on premises, such as on the hard disk of a desktop computer, or online in cloud storage. There are pros and cons to each approach.
Having the password vault on your local computer drive gives you maximum control over your information. Just make sure that your password manager application securely encrypts your credentials stored in the vault so that you can remain protected if your computer gets hacked or physically stolen.
If you want to use password manager capabilities on your different devices, however, you’ll need to perform the extra step of manually syncing the passwords from your computer to the other devices.
When you store your passwords in the cloud, you can enjoy the convenience of accessing them any time from any device. The password manager automatically syncs data from the cloud-based vault to all your devices.
However, you need to know if the cloud service provider engages in security best practices that you can trust. The provider’s servers and networks must be secured and updated regularly, and they must provide assurance that your stored passwords are encrypted and cannot be misused by service administrators.
Getting Started with Password Managers for Business
Many password manager applications offer a trial version that you can download for free. To get started, download and try out a few different options until you find a password manager that’s right for you.