Password managers grow up, target business users

Enterprise-class password managers fill key security gaps left by single sign-on (SSO) and cloud access solutions.

Password managers began as free or low-cost apps for consumers, tracking passwords and sign-ins to websites and applications, making it possible for users to create and manage long, hard-to-guess and unique passwords for all their accounts. Most work by encrypting the password lists with a single master password that only the user knows, so that even the password manager company employees themselves -- or hackers -- couldn't get into the password lists.

All the major password managers also have mobile apps, making it easy for users to log into their accounts from any device. They also support multi-factor authentication for additional security.

Enterprise single sign-on (SSO) and cloud access solutions leave holes

Enterprises, however, usually have their own systems for managing internal passwords. They use single sign-on (SSO) vendors and cloud access security brokers to manage their employees' access to online services. Even so, many business use password managers to supplement their core access systems.

But one of the big security gaps of enterprise-grade solutions is that they don't cover all the accounts that employees use for work. "SSO continues to expand," says Andrew Howard, CTO at Kudelski Security, "but they're not everywhere yet."

As a result, the business leaves it to users to keep track of all the passwords on unsupported systems. Some critical employees, like those responsible for administration, can have many accounts on lots of different systems. "It's not usual for us to see clients where admins have 500 or 600 different sets of credentials," Howard says. "The worst-case scenario to me is that they use the same passwords for all 600 applications, and if that one password is exploited, all 600 systems are vulnerable."

According to a survey by Ovum, 56 percent of organizations did not have SSO available at all, and for an additional 22 percent, SSO only covers some enterprise systems. Smaller companies often don't have the resources to implement a full-scale SSO system.

Take, for example, Intent Media, a small New York advertising company. It uses authentication services from Google and GitHub but doesn't have an enterprise SSO system set up, says Rob Park, the company's VP of engineering. Instead, it uses the 1Password platform to help employees keep track of both personal and business passwords. "Password managers tend to work for us in all circumstances given their flexibility -- not to mention availability of apps and devices," Park says. "It's that range of coverage of use cases that's important to us."

Even when companies do have SSO in place, these systems don't cover personal accounts. Since people tend to reuse passwords to remember them more easily, business account credentials often wind up being the same as those used on random websites.

Employees also create their own personal accounts on services such as Dropbox or Evernote and then use those accounts for business. "We recently did a survey and we found out that of the top 36 domains that employees are using in the workplace, at least 50 percent of them are popular personal solutions," says Rachael Stockton, director of product marketing for LastPass, which sponsored the Ovum survey.

"We also found that when you look at some of the most popular websites and services used in the enterprise, about half of them don't have out-of-the-box support for SSO, they're not SAML-based," Stockton says. "LinkedIn, PayPal, American Express, Box, Mailchimp -- so you have 50 percent of windows left open and uncontrolled." In addition, according to the Ovum survey, 23 percent of employees use their personal social media credentials to sign into business systems and applications.

So what do people do? Too often, they save their passwords in plain-text files. "If you look at the Sony hack, the attackers just looked for any file that had 'passwords.doc' in the file name," says Jackson Shaw, VP of product management at One Identity LLC, which offers a password manager in addition to enterprise SSO and identity management products. "They came up with something like 3,000 different files with passwords in them. We're dying in a sea of passwords."

In November, One Identity published a survey of global IT security professionals conducted by Dimensional Research and found that 54 percent of companies had a password vault for their administrative and other privileged accounts -- but 36 percent were using spreadsheets and 18 percent were using paper. For general users, only 42 percent of companies had a password vault. “The need for centralized password managers has become a necessity as a matter of convenience and fundamental security," says Philip Lieberman, president at Lieberman Software Corp.

Password managers step in

Password manager vendors have spotted a potential market here, and have added business-friendly features to their products. That includes administration tools for enterprise customers and separate vaults for business and personal passwords so that employees can take their personal password lists with them if they leave a company.

Three of the biggest ones are LastPass, Dashlane and 1Password. Market share numbers aren't publicly available, but each has between 1 and 5 million installs on Android devices, according to SimilarWeb, and all have entered the enterprise market. (For a comparison of features among the consumer versions of password managers, see “The 6 best password managers.”)

The software runs in the background on the desktop, in the browser or in mobile devices, and it notices when a user encounters a login screen. When the user types in a password, the software asks if it should be saved. On future visits, the credentials are entered automatically. If a user leaves a company, they lose access to the list of business passwords, but can continue using the apps and their personal password lists for free.

"The primary benefit is that you're actually changing that individual's security behavior," says Jeff Paradise, CMO at Dashlane, Inc. "You are truly protecting the way they're using the web, and how they're managing passwords both personally and professionally. Very few solutions today solve for that."

For example, the tools tell the user when a password is insecure or a duplicate, and can automatically generate better, stronger passwords. "It increases the security for the end user, and it's also decreasing huge points of risk for the organization," says Paradise.

Other approaches that companies have tried to improve security often backfire. Say, for example, a user has to come up with a new password every 30 days. It becomes impossible for an employee to create and remember unique, strong passwords. They either use a variant of a single password or write the passwords down. "What's easiest is not always what's safest for the organization," Paradise says.

The enterprise version of the product includes a security dashboard that provides an overview of employees' security practices, using aggregated data. "We have found huge overlaps in passwords that were the same between their personal accounts and business passwords," he says.

According to a Dashlane market survey, 80 percent of users reuse passwords, and the average number of passwords per person is 150. LastPass puts it at 191. "Using different, secure passwords for every service is just not very convenient, and sharing accounts is everyday practice," says Julian Weddige, founder and head of operations at SmartPatient GmbH, which makes prescription management tools.

SmartPatient uses SSO via Active Directory for its critical services, and uses the 1Password password manager for all users. "From an enterprise perspective, shared team vaults and central review of password strength are a big step forward," he says. The option for private vaults helped it gain acceptance with employees, he adds. "What is still lacking, though, is an option for connecting 1Password to Active Directory for user management," he says.

This fall, 1Password's main competitors, Dashlane and LastPass, both rolled out Active Directory integration and support for SAML-based provisioning and deprovisioning. "We are trying to offer an all-in-one approach," says LastPass's Stockton. LastPass also added integration with the popular Okta single sign-on platform.

Another password management company looking at attracting business users is Myki, Inc., a Beirut-based startup that launched last year with a service that lets users avoid the cloud altogether. The password vaults are synced by pairing mobile devices with computers. It rolled out an enterprise offering this month that integrates with Active Directory and Google for Work, says Priscilla Elora Sharuk, the company's cofounder and COO.

Managing passwords for shared accounts

Many organizations have company accounts for online services that multiple employees can access. A Twitter account, for example, could be accessible to several marketing staffers. An Amazon cloud services account could be shared by several administrators. Employees need to be able to keep each other up to date about password changes, and remember to cut off access to those who leave the company.

Myki, for example, lets companies create user groups for shared access credentials, and set up rules that can be inherited between groups. "Every enterprise has a password problem," says Sharuk. "If they have strict password policies in place, their employees will be pushed to either keep forgetting their passwords, wasting the IT department's time with resetting them, or they'll start writing them down on a piece of paper or in their notes somewhere. Both are counter-productive compromises."

There's another step that employees can take that would be problematic for companies, she added. They can install their own password managers without any corporate approval or oversight. That means the enterprise will have lost control of those passwords to some third-party provider, she says.

Losing control is actually the best-case scenario. If the employee picks an unsafe service to store their passwords, the consequences can be even worse.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.