A password vault, password manager or password locker is a program that stores usernames and passwords for multiple applications securely, and in an encrypted format. Users can access the vault via a single “master” password. The vault then provides the password for the account they need to access.
Since users have to remember only one password, they’re more likely to use complex passwords that cannot be easily stolen or compromised.
In organizations worldwide, people still use weak passwords, or reuse the same password across multiple accounts. Such practices enable cybercriminals to steal passwords to easily breach enterprise networks. Passwords with privileged access are particularly attractive to cybercriminals, since they can use this one single “key” to access many resources for malicious purposes.
The risks of such attacks increase when organizations don’t properly manage their passwords. A password vault is one way for organizations to minimize the risk of password-based cyberattacks.
A password vault is a key element of Privileged Access Management (PAM). It is ideal for organizations that need to securely protect user accounts in a centralized manner. The application is user-friendly, since users don’t have to remember multiple passwords. It also helps enforce password best practices, and protects the enterprise from outside threats.
PAM is best-suited for enterprises that need to monitor, manage and protect privileged accounts. PAM isolates the control and use of privileged accounts with granular Role-based Access Control (RBAC) to minimize the risks of accidental or malicious credential misuse. PAM also enables organizations to automatically create audit logs, and meet the compliance requirements set forth by GDPR, ISO/IEC 27001, etc.
PAM consists of a password manager, an access manager to manage user access, and a session manager to detect, prevent and terminate suspicious activities. When implemented as part of a broader cybersecurity strategy, PAM can reduce the overall attack surface, and mitigate security risks.
The average cost of a data breach due to compromised credentials is $4.37 million. To prevent such catastrophes, organizations need better ways to store their passwords. Here’s where a password vault comes in.
Safely store enterprise passwords. A password vault is a secure way to manage and store enterprise passwords. Some vaults can auto-generate strong, secure and unique passwords to protect applications.
User-friendly. Users don’t have to remember multiple passwords to log into multiple accounts, just the one strong master password that unlocks the vault.
Prevent account compromise and data breaches. Passwords are randomly generated, making them much more difficult to hack, and protecting accounts from credential abuse or breaches.
Easy password resets. It’s easy to reset or change passwords if an account is hacked or if a password is compromised.
Multiple login methods. Some password vaults include built-in multi-factor authentication (MFA), so even if the user forgets their master password, they can still log into the vault via a one-time password (OTP), a fingerprint, etc.
Threat alerts. Certain vaults alert users about potential phishing attempts, so they can avoid clicking on malicious links or downloading malicious attachments in spoofed emails.
Sync across devices. Some password managers sync credentials across multiple operating systems and devices, further simplifying the login process.
Single point of failure. If a cybercriminal gets hold of the master password, they can steal all passwords in one go, and ultimately compromise multiple accounts.
Vulnerable to malware. If the main password is used or saved on a computer affected by malware, it may compromise all other passwords controlled by the vault.
An enterprise password manager is a centralized system with built-in security controls to prevent cybercriminals from abusing the organization’s passwords for malicious purposes. RBAC restricts password access based on a person's role, so employees can only access the accounts they need to perform their job.
Enterprise password vaults encrypt passwords using standards like AES-256, include built-in random password generators, support automatic password resets, and allow administrators to enforce password policies. Some tools also come with MFA to provide added security.
Enterprise password vaults are of two types:
Desktop-based. Desktop-based vaults securely store passwords locally on one device. So, if the device is damaged, stolen or lost, the user will lose all the passwords stored on it.
Cloud-based. A cloud-based password manager encrypts and stores passwords in the cloud, so users can access the vault from any device or browser.
Web browsers ask users to create a master password before adding the logins to specific apps or services supported by the browser. After setting up the master password, the user can log into the browser’s password vault to access all their accounts instantly. The vault stores the password for the duration of the session, synchronizes passwords across multiple devices, and auto-fills passwords as required.
One drawback of these vaults is that they don’t integrate automated password generators, so the user must generate their own passwords. Users who require auto-generated strong passwords are better off using dedicated password vaults.
A browser-based vault is convenient, but not very secure. So, if a cybercriminal gets access to the user’s device, they can log into all accounts and apps. Unlike a dedicated password vault, a browser-based vault cannot proactively check for vulnerabilities, or raise alerts if the account is breached.
Although a password vault is a secure way to store passwords, these passwords are still vulnerable to brute-force, phishing, keyloggers, and other attacks. Further, the loss or compromise of the master password can lead to a compromise of all accounts secured with that password.
A password vault may be hacked if the device is infected with malware that records the master password when typed. Cybercriminals can then gain full access to the device and account. Password vaults with poor encryption and lack of MFA are particularly vulnerable to hacks and credential compromise.
If a user loses their master password, they may be able to access the vault. But this depends on the vault itself. Some vaults don’t allow users to access the vault at all. So, if the user forgets their master password, they are required to delete the vault (after taking a backup), create a new vault, and protect it with a new master password.
Some vaults allow users to access the vault with an OTP and the associated email account. They must then reset the master password. If they can’t access the email account either, they must delete the vault – and thus lose all their passwords – and create a new vault.
The best way to prevent such problems is to store the master password in a physically secure place. Some password managers also provide backup codes to change the password or to get back into the vault. But again, it’s crucial to store these codes in a safe location outside the vault.
When businesses start implementing stricter password policies, they often start with password managers so employees can store their passwords in an encrypted, relatively secure environment. One reason is that employees must add password management to their to-do list. Moreover, password vaults still require users to log into each app, which can add up to a lot of wasted time. For these reasons, most organizations quickly outgrow password managers.
Single Sign-on (SSO) is a secure solution that allows users to log into multiple accounts –both on-prem and cloud – just once using one set of credentials. It thus provides more seamless and secure access across multiple systems.
SSO is usually part of an Identity and Access Management (IAM) solution that uses the company’s directory, such as Microsoft Active Directory, Azure Active Directory, or a directory provided by the SSO solution. It also uses standard, widely accepted protocols, such as SAML or OAuth, and technologies like digital certificates to provide enterprise-level security.
SSO is more secure than password vaults, since it reduces the frequency of logins and the number of credentials stored. Further, passwords are not passed around. Instead, after login, SSO passes tokens to the app or website requesting authentication. It thus reduces the attack surface and minimizes the possibility of cyberattacks. SSO is also easier to use than password vaults, and eliminates the need to maintain multiple passwords, thus easing the burden on users.