Building a business case for password managers

Davey Winder ponders the best way for SMBs (and larger firms) to tackle the thorny issue of password security

Without the password alternatives, additional authentication factors, and some kind of password management system, the harsh truth is these small businesses and micro-enterprises will, undoubtedly, re-use passwords.

And, please, don't tell me a password management system that consists of a document filed away somewhere listing all the passwords within the enterprise is as safe as the next solution. Homebrew password solutions are best left to the hillbilly next door. There is no room for moonshine management in your business.

Whether you opt for an open source or proprietary password management solution makes little difference, as long as it has a proven track record and provides practical password creation, storage and retrieval.

Homebrew password solutions are best left to the hillbilly next door. There is no room for moonshine management in your business.

The argument I mentioned earlier about keeping all your passwords in one place is ripe for debate, but holds little real world water to me.

There are plenty of good software solutions to choose from, and always one that will be a good match for any given smaller enterprise requirement. This means there are those where the password vault is stored locally, and those that use the cloud for 'anywhere/anytime' access.

The latter gets the most stick in the easy target stakes, but Heartbleed has blown a huge hole in that argument.

Most password manager services, even those who admit to having used an OpenSSL implementation, have stated that users don't need to change their master passwords.

This is because master passwords are never sent to the servers. Instead you will find something like the password being appended to an email or login validator and put through a salted one way hash that is sent to the server for authentication instead.

These hashes are as close to impossible as it gets to be reverse engineered. Oh, and they get signed by a key which is separate from the SSL key for good measure.

Players in the password manager market know their continued existence relies on users trusting them to know a bit about security, and implement it in such a way that the vault remains safe.

Will I continue to recommend password manager software to the smallest of enterprises on a small budget and with limited technical expertise? You betcha!

Of course, if your enterprise can run to using password management software and some form of two factor authentication as well, then I'd recommend that even more.

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

Data breach exposes widespread fake reviews on Amazon
data breaches

Data breach exposes widespread fake reviews on Amazon

7 May 2021
TsuNAME vulnerability could enable DDoS attacks on major DNS servers
distributed denial of service (DDOS)

TsuNAME vulnerability could enable DDoS attacks on major DNS servers

7 May 2021
What are SSH keys?
cyber security

What are SSH keys?

7 May 2021
Google’s about to push everyone into two-factor authentication
Security

Google’s about to push everyone into two-factor authentication

6 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Dell patches vulnerability affecting hundreds of computer models worldwide
cyber security

Dell patches vulnerability affecting hundreds of computer models worldwide

5 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021