What are some best practices to implement for secure employee password management?
There are many enterprise password managers available to help with employee password management. Aside from using a password manager, what else can be done to ensure that employee passwords are secure?
The general best practice says that all the users in a company must attend security awareness trainings regularly in order to be updated in infosec. The companies that provide security awareness trainings platforms have already created tons of content that remind why users should stick to particular rules when dealing with passwords. Because having password manager and using it sometimes make the difference.
Search for a product comparison in Enterprise Password Managers
Security Consultant and Cybersecurity Support at a tech services company with 51-200 employees
Real User
2020-06-19T04:09:59Z
Jun 19, 2020
One of the biggest concern is users are not restarting their windows systems for long time, which allows the attacker to steal the memory cache. So in my opinion user should schedule their system restart in timely fashion.
Director, Consulting Practice at Kenneth J Sole and Associates
User
2020-06-18T16:27:25Z
Jun 18, 2020
I am a big Lastpass user - and I utilize the analysis tool it has. In my CIO days we had 3rd party IT Controls companies come in and run password cracking tools to identify weak passwords
PAM Architect at a tech services company with 11-50 employees
MSP
Top 10
2021-10-25T14:20:45Z
Oct 25, 2021
I am going to disregard answering from the Ransomware aspect as write access can be a problem and the mitigation is different.
As much as I love the answer from Denys, the only time employee passwords are a concern is when they are also privileged and then not managed properly.
Small company: If an employee has an account that is also privileged I recommend rotating the password daily. Active Directory can manage the AD perspective quite well requiring daily password changes and reducing the PtH (Pass the Hash) vulnerabilities.
Medium & Large company: A PAM solution can allow a privileged user to "Check Out" a password that is then immediately rotated upon check-in. Audit records, session recording and keystroke logging are a plus.
When determining the budget for this type of solution and an old maxim is recalled: "The cheap comes out expensive". Another consideration is not just financial loss, but reputation loss, when the ransom is followed up with a reputation threat, and you pay twice.
I will refrain from the High-Availability and Fail-Over discussing for brevity.
Make explicit distinction on defining what passwords are personal and what are business/work related and separate those two types in the primary stage to help/ease applying strict policy on those business/work related ones and secure them easily next to defining password vaults/environments related to departments (sales gets its own password environment, engineering gets its own etc )
PAM Architect at a tech services company with 11-50 employees
MSP
Top 10
2020-06-18T15:29:38Z
Jun 18, 2020
There are many enterprise password managers available to help with employee password management. Aside from using a password manager, what else can be done to ensure that employee passwords are secure?
Find out what your peers are saying about Microsoft, HashiCorp, Amazon Web Services (AWS) and others in Enterprise Password Managers. Updated: March 2024.
Enterprise password management solutions store and administer sensitive data such as passwords, records, and identity credentials for organizations. Since most cyber-attacks use legitimate credentials to enter an organization, password security is an essential part of an organization’s security posture.
The general best practice says that all the users in a company must attend security awareness trainings regularly in order to be updated in infosec. The companies that provide security awareness trainings platforms have already created tons of content that remind why users should stick to particular rules when dealing with passwords. Because having password manager and using it sometimes make the difference.
One of the biggest concern is users are not restarting their windows systems for long time, which allows the attacker to steal the memory cache. So in my opinion user should schedule their system restart in timely fashion.
I am a big Lastpass user - and I utilize the analysis tool it has. In my CIO days we had 3rd party IT Controls companies come in and run password cracking tools to identify weak passwords
I am going to disregard answering from the Ransomware aspect as write access can be a problem and the mitigation is different.
As much as I love the answer from Denys, the only time employee passwords are a concern is when they are also privileged and then not managed properly.
Small company: If an employee has an account that is also privileged I recommend rotating the password daily. Active Directory can manage the AD perspective quite well requiring daily password changes and reducing the PtH (Pass the Hash) vulnerabilities.
Medium & Large company: A PAM solution can allow a privileged user to "Check Out" a password that is then immediately rotated upon check-in. Audit records, session recording and keystroke logging are a plus.
When determining the budget for this type of solution and an old maxim is recalled: "The cheap comes out expensive". Another consideration is not just financial loss, but reputation loss, when the ransom is followed up with a reputation threat, and you pay twice.
I will refrain from the High-Availability and Fail-Over discussing for brevity.
Make explicit distinction on defining what passwords are personal and what are business/work related and separate those two types in the primary stage to help/ease applying strict policy on those business/work related ones and secure them easily next to defining password vaults/environments related to departments (sales gets its own password environment, engineering gets its own etc )
There are many enterprise password managers available to help with employee password management. Aside from using a password manager, what else can be done to ensure that employee passwords are secure?