Cybercriminals don’t always need a breach to gain an initial foothold in your organization. Left to their own devices, employees seldom choose strong, complex passwords. Further, they tend to choose passwords composed of common elements such as months, seasons and years, which an attacker can easily guess.

Employees also tend to reuse passwords across websites and different services, so one service or website that is compromised can lead to many in what’s called a “credential stuffing” attack, the automated use of a breached password to attempt a log in at many, even hundreds, of websites. If your users are reusing passwords, both your organization and partner organizations could be at risk.

Given the number of online services that most people use, plus the number of breaches that occur on a yearly basis, the question becomes not how to stop credential breaches but how to minimize their potential impact. The most effective way to do so is with a password manager.

Next steps

  • Implement a password manager for the entire organization: Password manager applications relieve the user of several issues related to password management.
    • They encourage the use of longer, more complex or even random passwords, since users don’t have to commit them to memory. Depending on the particular password manager, users may only have to remember one or two passwords: one for their initial network logon and one for the password manager itself. Some password managers can also implement single sign on. Having the password manager set very complex passwords prevents “password spray” attacks, as these passwords can’t be guessed by an attacker.
    • They make it much easier to use unique passwords per login, as unique passwords can be generated by the password manager itself, relieving the employee of having to compose a new password for every site or service. This helps prevent “credential stuffing” attacks.
    • They provide safe, encrypted storage for a user’s passwords, keeping them off Post-It notes or notepads and out of text, Word and Excel files, which could themselves be compromised.
  • Select the right password manager for your organization: Password managers can take on many forms: standalone applications for each user, applications that integrate with a web browser or centralized applications managed for the entire organization by your IT department.
  • Choose whichever manager is most appropriate for your organization’s needs: Base your decision on factors like cost, ease of administration, and effectiveness.