Why Your Firm Needs a Password Management Application
Passwords are the keys to your firm’s digital kingdom. Behind the doors are your client’s confidential and sensitive information, privileged correspondence, financial records, and more. With so many passwords to remember, the temptation to use the same one, the same variation of one, or something simple and easy to guess is very real. However, best practice for passwords is to use long, strong, and unique passwords for each account. How can your firm do this and enforce it?
While there is movement afoot to find a less cumbersome way to protect access to applications, services, storage and more in the cloud, we will still be relying on passwords for some time. Everyone has a different tactic for dealing with passwords. Some keep them in a notebook. Some write them on sticky notes and put them under their keyboard. Some put them in a password-protected document. These methods are cumbersome and not scalable. Do you have those passwords on hand to log in to accounts on your mobile device? Another computer? If someone leaves the firm, can you access their accounts? What if someone loses their laptop or smartphone? Enter the solution – a business password management application.
Basics
Once you find the password manager that suits your needs, you sign up and get set up. You can create folders for distinct types of accounts (finance, marketing, practice management, etc.). Invite the users in the firm. Set up multi-factor authentication for the account logins. Best practices suggest that you should use a third-party authenticator like Google, Duo, Microsoft, or Authy to access your password manager, in addition to a password. Don’t forget the password for your password manager. You will only need to remember one, but most password managers use the zero knowledge best practice and thus recovery of your password manager password is purposefully difficult, if not impossible.
Many of the password managers also supply secure space to store attachments, like pictures of your driver’s license, insurance cards, passport or tax returns and other sensitive documents. Additionally, users can add secure notes associated with a login to store answers to security questions and other notes. If you have two (or three or four) logins for a single platform, like Google or Microsoft, the password manager will let you choose which account you want to log in to from a drop-down menu.
Benefits
Password managers are applications that generate, store, and fill passwords for the user. Your passwords are stored either locally on a device, or more commonly in an encrypted vault in the cloud. Password managers can also act as form fillers. You can enter information for work and home and the tools will fill out online shopping sites and other sites that request mailing addresses, phone numbers and other information. One of the first password management/form filling tools was RoboForm, which was first released in 2000. And they are still going strong. They have been joined by a host of others.
Scalable
Most of the major password management applications offer personal, family and business plans. If you are a true solo, you can reap the benefits of a password manager, or scale up to a huge firm. For your personal and family use, you can help protect passwords for your bank, insurance, taxes, and other sensitive information, as well as build in protection for your digital assets as a part of your estate plan.
Enforces best practices
Creating long, strong, and unique passwords is difficult. Password management applications help you enforce best practices across the firm. You will remove the temptation to reuse passwords, write them down, or keep them on your computer. Paid versions also offer other features, like multi-factor authentication, deep web scans, warnings for reused passwords, and more.
Firm controls
Many of the business versions of password managers provide reporting to firm administrators to ensure users are effectively using the product. If someone leaves the firm, loses a device, forgets their password, or finds out they were hacked, the firm administrator can change their passwords or remove access to the account.
Features
Generate long, strong, unique passwords
From personal (free or paid) to enterprise versions, the core strength of a password manager is to help create long, strong, and unique passwords for online accounts and then fill them in for you, so you don’t have to remember them all! When you go to login to an account for the first time, you can have your password manager create a unique password. You can set the complexity of the password to meet any requirements of the service (character count, special characters, and numbers, etc.). If you are logging into a site, the password manager will pop up and ask if you want to store the login in the password manager.
Typically, a password manager has an online version, accessible through a browser. Some have installed software. Most have browser plugins for Firefox, Safari, Edge, Chrome, and others. Many have apps for your smartphone as well.
Each person gets a personal vault as well as the workplace-shared passwords
Business and enterprise versions of password managers often supply a space for personal passwords and notes as a benefit. Users can store access to their personal logins, which are not available to the firm.
Reporting
Firm administrators can get reports and security audits to check on how users are using the platform. Reports may include logins, usage stats, password resets, Breach Watch activity, and employee security scores.
Shared credentials
Though not a common use, some firms may need to have shared credentials. Most of the business password managers have a space for shared passwords.
Multi-factor authentication
Some of the business password managers can also supply add-ons for multi-factor authentication. For instance, if your firm uses a Salesforce application the password manager can fill in the user credentials and provide the onetime timed expire code for multi-factor authentication. Using a third party authenticator, such as a password manager, is an excellent feature to take advantage of, since requiring that an end user in the firm use their personal smartphone for text message authentication comes with some risk.
Admin controls
Admins for firm accounts, in addition to running reports, can also reset individual users’ passwords if they forget them or leave the firm.
Use on your smartphone
Staying logged in to an app on your smartphone is risky if you lose your phone. Stay logged out and get the password manager app for your phone and use it to log into your accounts. Again, you will need to remember the login for your password manager!
Products
There are many products on the market, with different strengths and weaknesses. Most store passwords in the cloud in an encrypted vault. Yes, that introduces a risk, but it is less risky than firmwide poor password hygiene. Pricing for business versions of password managers typically range between $3 and $8 per user/per month for the base product, with some pricing scalability if purchased for a year up front. Be aware that some add-ons like dark web monitoring and multi-factor authentication may be an added charge.
Some of the most popular business plans have versions ranging from Teams (small business) to enterprise (big business). In most of the “best of” roundups, products from Keeper, LastPass, Dashlane, and 1Password are included. Consider the size of your firm (number of users), whether the plan includes personal/family vaults as a benefit to your employees, add-ons like multi-factor authentication, reporting options, ease of use and support. PC Magazine and TechRadar have recent roundups with pros, cons, and comparisons. Most of these products have free trials.
Conclusion
Password mangers are simple and inexpensive tools that can do a lot to enforce security best practices at your firm. By using a product to help generate secure logins you can start to consider more security steps, like creating usernames different from your email and using fake answers to security questions. Want to see a password manager in action? See this CPM Learning Objectives webinar recording “Setting Up a Password Manager.”
Catherine Sanders Reach serves as director of the NCBA Center for Practice Management.