Introduction
This guide is an attempt to help individuals and companies find answers to all their questions related to passwords and password management software. It will help them understand why passwords are still the easiest and most reliable method of authenticating, sharing, managing, and securely storing passwords, and other security aspects of its use in business. There are four parts to this beginner's guide: an introduction to password management software, different types of password managers, relevant laws, and a quick overview of its application in various domains.
The basics of password management software
01Introduction
Why password-based authentication still rules?
What is password hygiene?
What makes a password strong?
What is password management software?
How does it work?
Features
02Options
Cloud-based
On-premises
Enterprise
Open-source
Password manager vs privileged identity/account manager
03Legality
What are the current laws related to password management?
04About Zoho Vault
Why password-based authentication still rules?
Passwords are one of the primary methods of authentication used globally to protect data and accounts from unauthorized access. Security experts are trying hard to kill passwords with biometrics, digital certificates, etc for more than a decade now for various reasons. However, passwords still remain as one of the most reliable and commonly-used methods of authentication for its ease of use, affordability, and uncomplicated administration. With appropriate user education and awareness, password-based authentication provides highly effective and adequate protection over other methods.
What is password hygiene?
Passwords are the first line of defense for your online accounts. Password hygiene is a set of best-practices that individuals and companies should follow to protect their data and stay secure.
- Use a strong and unique password for each website
- Store passwords in an encrypted vault
- Identity weak passwords and replace them with stronger ones
- Never share passwords insecurely via email, spreadsheets, word of mouth, sticky notes, etc.
- Always change your passwords after a data breach
What makes a password strong?
A strong password should be hard to guess and break even with advanced brute force techniques. We recommend all your passwords meet the below criteria:
- Should be a minimum of 12 to 14 characters in length
- Should be a mix of numbers, special characters, capital letters
- Isn't a dictionary word
- Should never be an easy to remember combination of words such as your name, pet's name, date of birth
What is a password management software?
To facilitate and automate the password management best practices, individuals and businesses need software that can help them securely store, share, and manage passwords. They can also bolster the overall security, privacy, and productivity in their day-to-day operations.
How it works
All passwords are stored in a centralized encrypted repository and locked with a master password
Access to passwords is controlled based on job roles and responsibilities
Weak and reused passwords are randomized, and changed periodically with the help of a password generator and organization-wide password policy
Users are empowered to share passwords securely with different levels of access permissions
Administrators get a clear picture of who accessed which password and when with round the clock with audit trails
Administrators can also forcefully acquire the enterprise passwords from employees when they are leaving the company on bad terms
All ensuring complete data security and privacy to the company's confidential data
Some of the key features of password management software include:
Encryption
Ability to encrypt passwords and other confidential data with industry-standard encryption like AES-256.
01
Secure data transfer
Provision to transfer data only through secure communication channels via SSL/TLS.
02
Password generator
A simple and powerful password generator that helps users to generate a strong and unique password for each app based on internal password policy.
03
Multi-platform support
Help users access the service from any device, operating system, and browser without any additional requirements.
04
User management
Administrators should be provided with a powerful dashboard to carry out operations like user import, set user roles, policies, and grant and terminate user access.
05
Fine-grained sharing
Users should be able to share passwords with different levels of password sharing permissions: view, modify, manage, one-click access only
06
Quick login
Helps users quickly log in to their everyday apps and websites in a single click.
07
Browser extensions
Provide browser add-ons to perform the basic operations from the extension without logging into the service every single time.
08
Mobile apps
Option to view, share, and manage passwords from anywhere.
09
Integrations
Works with identity providers and popular apps, and also offers APIs for custom integration.
10
File storage
Option to store confidential documents apart from passwords.
11
Audit trails
Comprehensive audit trails on user access and activities 24/7
12
Compliance
Adheres to all the latest privacy laws like the GDPR, ISO 27001, SOC 2 Type 2, and offers the highest level of data security and privacy for users' data.
13
Various password management software options
Password management software can be used for both personal and business, and is generally classified into six types based on the deployment, licensing, and customer type as listed below:
Personal
Designed for use by individuals with basic features like password storage, strong password generator, auto-fill passwords, expiration alerts, and offered at low prices. They generally lack administrative capabilities and comprehensive audit trails.
Business
These are built for use by businesses of different sizes and types. The primary requirements are a powerful admin dashboard, password policy enforcement, and user behavior monitoring. Additional requirements include multi-factor authentication, reports, IP restriction, alerts, and notifications.
Cloud
In this model, the software is delivered as a service (SaaS). It will work well on all platforms with a standard internet connection. Many new generation companies prefer this model, since it doesn't cost them much on infrastructure, setup, and maintenance. Licensing will be based on the number of users, who will be billed either monthly or annually.
On-premises
Here, the software is installed on the customers' servers and maintained by them periodically. This option requires each user to install the software on their machine locally and access the service from their browser. Technically, this model works like a client-server. Licensing options are offered annually or perpetually along with additional maintenance costs.
Enterprise
Here, the software is feature-rich and can be customizable based on the organization's requirements. Enterprise-grade password management solutions can also be automated and tightly integrated with the applications the company already uses. Customers are charged separately for each service, including consultation, on-site implementation, and periodic maintenance.
Open-source
Here, the password manager's code is exposed to the public and offered free of cost. Companies with a strong in-house development team and tighter budget opt for this model.
Password management vs privileged account management solutions
Though the core functionality of both the products is around password vaulting and management, they cater to the needs of different markets and user segments altogether.
Password Manager Privileged Account Manager Used by everyone in an enterprise Used only by IT admins/privileged users Password Vault Privileged accounts discovery and password vaulting Secure password sharing Secure sharing of privileged IT administrative passwords Automatic reset of website passwords Automatic reset of passwords of servers, databases, network devices, and other resources Control access to shared web accounts Control access to IT resources and applications based on roles and job responsibilities Launch direct connection to websites and cloud apps Launch direct connection to remote IT resources, websites, and applications Comprehensive audit trails on who accessed which password and when Video record & audit all privileged access Password management vs single sign-on solutions
Both solutions offer the same convenience to users: The ability to log in to the product once with a single password and log in everywhere else in a single click. Here are the key differences:
Password Manager SSO Solution Password-based authentication Trust-based authentication (leverages SAML/LDAP) Works well with all websites and most applications Works only with enterprise-grade apps
Legality
Apart from the security and productivity features, companies should also think about the legal and regulatory compliance during their software evaluation process. All these laws require companies to control access to critical data, which can be done with the help of a password manager.
What are the current laws related to password management?
NIST
The National Institute of Standards and Technology is a non-regulatory federal agency that promotes innovation and competitiveness of US-based companies. Compliance with NIST standards and guidelines has become an absolute must for high-tech companies and federal agencies. Read More
Sarbanes-Oxley Act
This act is focused on accounting and finance professionals to prevent corporate scandals. The law mandates a set of information security and password implications.
PCI DSS
Enterprises that accept credit card payments must adhere to the Payment Card Industry (PCI) Data Security Standard (DSS). Credit card giants such as American Express, Discover, JCB International, MasterCard, and Visa Inc have come up with their own set of security standards.
HIPAA
Companies handling sensitive personal and healthcare data must adhere to the Health Insurance Portability and Accountability Act.
GDPR
The General Data Protection Regulation is a comprehensive set of standards and guidelines published by the European Parliament to protect EU residents' personal data. Any company that works with the personal data of EU residents should adhere to the GDPR.
Disclaimer: The above list represents only a partial list of regulations that mandate IT security and password management. We recommend that you consult your corporate auditor or legal representative for comprehensive guidance on your local laws.
About Zoho Vault
Zoho Vault is an online password manager for teams. It helps securely store, share, and manage passwords from anywhere. Zoho Vault leverages the host-proof hosting (zero-knowledge architecture) to provide the highest levels of data security and privacy. The software is available in three editions and two languages. Zoho Vault offers three licensing options—Standard, Professional, and Enterprise—priced per user, per month. For more information on Zoho Vault, please visit https://www.zoho.com/vault/pricing.html.