The UK’s National Cyber Security Centre (NCSC) has issued updated guidance on password best practices – recommending the use of password managers and passkeys to enhance organisational cybersecurity, writes Darren Guccione, CEO and co-founder of the vendor Keeper Security.
This guidance aligns with cybersecurity industry recommendations, which urge organisations to use password managers to avoid the pitfalls associated with the most common password mistakes, like password reuse and using default passwords. However, an important distinction must be made: not all password managers are created equal.
Many popular browsers offer their own browser-based password management systems, which provide users with a free and convenient alternative to paid password managers. But this potentially comes at the cost of increased risk to your online security. For organisations, employees using free solutions present a security risk, as these tools lack enterprise-level security features such as robust access controls, auditing capabilities and integration with zero-trust architectures. So, what does good enterprise password management look like for a modern organisation?
Government advice: threats facing organisations
The cybersecurity threat landscape has changed in numerous ways in recent years, with organisations now facing threats with unprecedented sophistication and scale. Research shows that identity-based attacks, like phishing and credential stuffing, are the most concerning to security professionals. These threats have been proliferated by the use of AI to create and deploy increasingly convincing attacks more easily and quickly than ever. Worryingly, the research also found that only 12% of organisations are fully prepared to handle AI-enhanced attacks. With these sorts of attacks continuing to proliferate, it’s not just about storing passwords to protect your accounts, but ensuring you’re doing so securely, and with all available protection measures in place.
Reflecting the changing threat landscape, the NCSC’s new guidance aims to contextualise cybersecurity for organisations and advise on the best practice to implement today. It recommends the use of a reputable third-party password manager if your organisation has a “mix of devices/browsers” and to avoid being “locked-in” to a specific platform, whereby the cost and inconvenience of switching to a different provider is so high that the customer is effectively stuck. Additionally, the NCSC’s guidance suggests users opt for passkeys, where available, instead of a password. The passwordless login technology based on public-key cryptography is phishing resistant and user friendly, with reputable third-party password managers able to store them right alongside traditional passwords.
Risks of Browser-Based Password Managers
Many people opt to use built-in browser password managers because they are convenient and easy to use, but convenience, in this case, comes with risk. There are many reasons why browser-based password managers are a less safe alternative to third-party password managers, but ultimately, browsers aren’t made to be password managers. Browsers are built to help enable user access to websites, not to safeguard personal information.
One of the main differences is encryption (or lack thereof). Encryption only works if the associated encryption keys are secure. Browser password managers do store passwords in encrypted databases. However, they often leave the crucial encryption keys unprotected in predictable locations.
If your browser gets compromised your passwords do too. Cybercriminals can infect your device with spyware, gaining direct access to your browser settings and saved passwords in plain text – even without physical access. Similarly, many users stay logged in to browsers for convenience, despite the obvious security risk. If your device is stolen while you’re signed in – which most people are – a hacker can easily access your saved passwords.
Safe alternatives
As per the NCSC advice, password managers, in general, are more effective for password management. However, enterprises should opt for third-party password management solutions over browser-based solutions, not least because they’re designed with protection in mind. A third-party password manager provides organisations with flexibility and security without tying them to a single browser or vendor ecosystem. Additionally, a zero-knowledge, zero-trust password manager provides military-grade security, seamless provisioning across all devices and operating systems without vendor lock-in, as well as compliance with industry standards.
Other features such as password rotation, secure sharing capabilities and role-based access controls are also fundamental to establishing and enforcing strong credential hygiene in modern businesses. Some password managers, such as Keeper Security, also offer dark web monitoring. A solution such as BreachWatch ensures that if credentials are compromised and end up for sale on the dark web, users will be notified and take appropriate remediation steps immediately.
Ultimately, by centralising credential management, a third-party password manager offers organisations the combination of robust security, increased productivity and unparalleled convenience. They not only fortify defences against cyber threats with advanced encryption and security architecture but also streamline operations, ensuring employees can securely access necessary accounts from anywhere, on any device, without compromising on protection.
