Is Your Enterprise Password Manager Good Enough?

An enterprise password manager or password vault is often the first step that companies take as they try to wrangle passwords and make them secure while also ensuring ease-of-use for employees. But not all enterprise password managers are the same. Here are the features that any such tool should have and extras that only some tools have but that your business might need.

Any of the main enterprise password managers on the market does the basic task of storing user passwords in a secure password database, usually in the cloud. Quality password managers encrypt the data securely using ciphers like AES-256. Most of these tools also have built-in random password generators, making it easy to create secure passwords.

When picking a business password vault, you’ll want to make sure you choose a tool that supports employee access across devices and syncs across them. That’s because employees typically use their phones as well as work machines, and may also use personal laptops. The top enterprise password managers will support all the common browsers and mobile operating systems.

Now, for the extras.

Two items to look for in a password manager are the ability for automatic password resets and the ability to enforce password rules through the tool. Both will aid in security while also avoiding the burden on IT or your helpdesk.

For security, it’s important that the enterprise password manager supports two-factor or multi-factor authentication (MFA). A password manager is a good first step in improving password security. But it’s rarely enough by itself. Password managers have been hacked and various types of attacks can still intercept and capture the password being entered. Make sure the enterprise password vault works with your MFA solution (or includes MFA) to require that users provide additional authentication factors when logging in, such as a pin from a phone app, a fingerprint, or facial recognition.

For the enterprise password manager to work, employees have to use it. For them to use it, it has to be easy. Look for these capabilities:

• Fill-in web forms—Most enterprise password managers include the ability to detect a website and automatically fetch and fill in the login dialog for it. They don’t all do a great job or detect all sites equally well, though.
• App passwords—Websites aren’t enough. Employees don’t distinguish between a website and an app—they are all just tools to get the job done. Not all password managers support apps. Look for ones that do. It’ll cut down on employee complaints and increase adoption.
• On-prem application support—Even fewer enterprise password managers support on-prem applications. But, again, user’s don’t make a big distinction between web and on-prem systems. They just want to quickly login and get their work done. A password manager that doesn’t support your on-prem apps is only a partial solution to the password problem.

Enterprise password managers may provide some basic reports but they rarely provide the kind of auditing tools needed for compliance with standards like PCI or SOX. They won’t give you the information you need to identify attack attempts, either.

Enterprise password managers offer only basic synchronization with directories like Active Directory (AD). If you’re looking to implement security policies based on role, location, etc. with granular permissions using identity and access management (IAM), you’ll need a true single sign-on (SSO) system instead of a password manager. Similarly, if you onboard and offboard through AD, Workday, or other directories—or even multiple directories as in many organizations—a password manager is likely to prove unwieldy and become just another system you have to maintain.

The right enterprise password manager can be a good first step to increase security for your company. But to maintain password security and keep employees happy, you’ll probably want to move to an IAM solution with SSO. That will enable users to log in just once and then easily access all their work websites and apps—whether cloud-based or on-prem—without having to login again. It means truly using just one password. And an IAM solution with SSO will integrate with your directories to provide the granular level of permissions and control that is the reason you use a directory like AD in the first place.

So, consider an enterprise password manager as a first step on the path to greater security, but don’t expect it to be your last.