Password Managers – Not all the same

by | Oct 12, 2015 | Cyber Security, Data Security, Logical Access Control (LAC), Multifactor Authentication,, Network Access Control (NAC), Password Authentication, Password Management, Physical Access Control (PAC), Power LogOn, Smartcards

Know your Password Manager

enterprise password managerLast week the cybersecurity industry was a buzz about the Boston-based company LogMeIn, Inc purchasing LastPass for $125M. In the different news articles some interesting facts were quoted:

  1.  Only 10 percent of knowledge workers today use a password manager
  2.  Only 37 percent of survey participants use passwords that contain both letters and numbers
  3.  Nearly 64 percent of people who use the Internet deploy the same password for most websites
  4.  Nearly 80 percent of cloud-based services and apps have monitored, sensitive or private information
  5.  35 percent intend to adopt a password manager in the next 12 months

While these are staggering statistics, it’s the last one I want to address. That’s because not all password managers are the same. You need to understand the differences before you deploy.

Some password managers are designed for consumers’ home use, while others are designed for enterprise computer networks. Both have their place and both offer great security, but they may not be right for your particular business. You need to understand who will be generating passwords, who is managing the passwords, and if the person leaves what happens to the access?

Single Sign On (SSO) works only after the user has gained access into the network. The first question you have to ask is how does the user authenticate into the network in the first place, and is it secure? You want to find a password manager that starts when the computer is first turned on and before the OS is fully loaded. That way, you know the person has computer access before they have network access.

Multifactor authentication is a popular buzz word. There are currently three forms (or factors) that authenticates a user: Something they Have (card or token), Something they Know (PIN or password), and Something they Are (biometrics). Using only one is single-factor authentication and considered very weak security. Using any two is two-factor and considered strong. And using all three is three-factor authentication and very strong.

Not all combinations are true multifactor. Don’t be fooled when you have to type in a PIN and then type a code sent to your phone. That is not true two-factor authentication. It is double, single-factor authentication: Something you Know and Something you Know. Neither the computer nor the network you are logging into sees or authenticates your phone.

Some services place your passwords into their cloud as a service. They also place all their other customer’s passwords in the same cloud. We call this “Big Data” in the industry and it’s a hot target for hackers. So should you trust your company’s access secrets to the security of a third-party? Maybe, maybe not. You need to determine that. However, it is our belief that security should be managed internally within your own company.

Cards, tokens, and fobs are touted as the Something you Have. These are a must to achieve true multi-factor authentication. But ask yourself, would you rather carry another device that can get lost, forgotten or stolen, or simply add an app to an existing ID badge?  The same employee badge that gains access to the building, and is used as a visual ID, can also be used to securely log an employee into the company’s computer and network without the employee knowing or typing any passwords. So, no more sticky note security!

There is no one solution that is right for everyone. And when it comes to computer networks, the one thing that every network has in common it that there is no one thing every network has in common. You have to pick what works for your particular environment. Look at what security investments you have already made that can be built on. Know your budget and the time frame you need to have everything deployed. And most important, understand the full cost of ownership no matter what solution you deploy.

Power LogOn – Enterprise Password Manger

Access Smart addresses these and many other issues with our Enterprise, multi-factor password manager called Power LogOn. We are FIPS 140-2 verified by a NIST lab. We work with the leading physical access control providers. We work with most industry cards and readers technologies within the private and government industries. We often can add Power LogOn onto your existing ID without any re-badging or re-issuance of badges. Finally, if you have nothing yet and want to get started, we can help there too. So, got questions? Call us or find us at www.access-smart.com