8 things you should consider before selecting a corporate password manager

A couple of guesses... your mother's maiden name, your date of birth, your pet's name. And Bam! It's stolen.

Password theft has become increasingly common.

While the most infamous one was the 2014 Russian hacker incident when someone stole more than 1.2 billion passwords, it’s not the only one. There are news stories about password hacking almost every day. And yet, several people still choose easily guessable passwords.

Many people opt for easy passwords so they can remember them. But as easy they are for you, they’re even easier for hackers. Safety is important for everyone, especially for large corporations.

SECURITY POLICIES AREN’T REALLY CUTTING IT

Large enterprises generally have policies that request their employees to use strong passwords. However, since it’s easier to remember short passwords, many employees go against the policies and pick weak passwords. A policy isn’t much of a help here.

What does work though, is a corporate password manager. It forces users to select only strong passwords that cannot be broken down easily. With the right technology in place, you can avoid a hacking incident.

While a corporate password manager can choose passwords for you, how do you choose the right password manager for business? Here are some tips for you to get the best software for your enterprise:

TIP #1 — Find the right technology for your enterprise

A corporate password management tool could be SaaS-based or it might work on-premise. Both have their own merits and limitations and you should select the one that suits your company. Traditionally, vendors gave licenses for their software and it was implemented “on-premise.” However, SaaS is software that’s owned and managed remotely by its providers.

With SaaS, you only pay for what you need. It’s a better option for small industries. With on-premise solutions, you need to pay for the hardware but the license is completely owned by you, which makes it a better choice for large enterprises.

If you get a SaaS corporate password manager, you’ll need to pay small regular fees while the on-premise password manager will require a one-time payment of a larger sum. While SaaS cloud password manager is much cheaper than a self-hosted password manager, the latter gives more flexibility and reliability. Make sure you select a corporate password manager vendor that offers SaaS as well as on-premise solutions so you can compare them both and make the right choice.

TIP #2 — Is the vendor credible?

Check the credibility of the vendor providing the corporate password management tool. Find out where they store their data and if they own their servers or use third-party servers. If they have a rented data center and others have access to it, this makes your information more vulnerable than you’d want it to be.

The geolocation of the vendor is also important. Since different countries have different laws, it’s best to select a vendor that’s in a country where laws are not too intrusive. For example, Passwork is a password manager for a business that has its servers in Finland. Finland believes in online freedom and it’s the first country to make broadband access a legal right.

Whichever password manager you choose, just make sure it’s not located in the Five Eyes – US, UK, Canada, Australia, and New Zealand. These countries have restrictive laws that allow lawmakers to issue warrants to get people’s details from privacy companies such as password managers and VPNs.

TIP #3 — Find possible vulnerabilities

Check for any possible vulnerabilities in the software. To see if the cloud vault manager leaks your passwords to third parties, try this hack:

Sign in to the password manager. Click F12 to open the browser console. Open the network tab and see if there are any external requests. There can be different types of requests such as loading of external analytic JavaScripts etc. A good corporate password manager will disable JavaScript and AJAX requests from third-party sites to ensure there are no XSS attacks.

When third parties are allowed to call into the system, they can make the system vulnerable. Whether you prefer a SaaS password manager or an on-premise password manager, it should hold all sensitive information in such a way that external applications cannot access them.

TIP #4 — See if the passwords are encrypted

The password manager should hold all passwords in an encrypted form. To check this, open the network tab of the browser (F12 for browser console ->Select network tab). Now open any website where you need to sign in. Save the password in the password manager. See if the password appears in plain text or encrypted form.

If the password is plain text, it’s extremely easy to hack. This makes your system vulnerable to hacking attempts. As a corporate manager, it’s important to keep your business passwords safe.

Different password managers have different encryption standards. The highest cipher is AES-256 with an RSA handshake. This is military-grade encryption and is virtually unhackable. If your corporate password manager provides this level of encryption and owns its own servers, you don’t have to worry about the security of your information.

TIP #5 — Check if the vendor has transparent policies

Check the website of the provider and see if they have provided comprehensive whitepapers of the algorithms and cryptography they use. All good companies provide open source and auditable code for their on-premise solutions. This is to keep their processes transparent.

There is generally a master password that is used to encrypt all sensitive information. A good password manager will encrypt this master password as well and keep it in the browser instead of their servers. This way, even the vendor will have absolutely no knowledge of your master password and all your data will be safe and known only to you. This is called zero-knowledge encryption.

A good password manager such as Passwork keeps all passwords in a vault that are encrypted using a 256-bit cipher.

It’s a good idea to prefer open-source software as all its algorithms will be public. This will allow users to see the kind of algorithm and cryptography the vendor provides.

TIP #6 — Check the auditability of the software

When you get an on-premise password manager, you should be able to audit the code. In fact, if it’s an open-source code, you should be able to make changes in the code as well. However, this might make the software unstable. If you plan to make changes, discuss it with your vendor and ask them if they can provide a fresh copy in case the code becomes unstable.

With the help of auditing, you can measure the effectiveness of the corporate password manager. A software vendor that lets you view the internal code shows that they have complete transparency and have nothing to hide.

In addition to this, the password manager should conduct regular audits to see which passwords have become old and which services share the same password. These passwords need to be updated. An advanced password manager will ask you to replace old passwords with new ones.

TIP #7 — Test the SSL quality

Advanced corporate password management tools use Secure Sockets Layer (SSL). The SSL transfers data securely between the client and the server. Passwork uses SSL along with AES-256 bit encryption and RSA handshake to ensure your data is encrypted according to the highest standards.

There are several online tools to check if there are any potential issues with the SSL quality of the password manager. With tools such as SSL Labs and SSL Checker, you can find out if the SSL certificates of the password manager are valid.

TIP #8 — Get a FLEXIBLE solution

A good corporate password manager will work on all major platforms. While some password managers only work on web-based browsers, an advanced password management tool will keep your accounts secure, no matter where you log in from. Passwork has a web version that you can use on a PC or a Mac. It also has mobile versions for iOS and Android.

And it has browser plugins for Chrome and Firefox as well. So no matter where you are or how you access your accounts, your passwords are always safe.

If you use the same service on your laptop and mobile device, the password manager should be able to sync the passwords across various devices. For example, if you save the password for Facebook on your Chrome browser and later use your phone to open the Facebook app, it should automatically sync the passwords.

The Bottom Line

There are several corporate password managers out there. But make sure you choose the best one. If you find a password manager that satisfies all the criteria given above and is easily affordable, choose it to save your passwords.

However, make sure you don’t select a weak manager just to save a couple of bucks. Your enterprise passwords are extremely important so don’t compromise on quality. Hacking incidents have become rampant and you can save a lot of precious data just by spending a few dollars.

There’s a saying in the online world – if you get a product for free, you’re the product. Make the right choice and get the right software tool that keeps your company’s details safe. It doesn’t just make things easier for your employees but also keeps your precious details secure from prying eyes.