Phone Number +1-202-802-9399 (US)

ThycoticCentrify is now Delinea!

The Lockdown

Thycotic’s Cyber Security Blog

Password Management Practices in the Enterprise and the Future of Passwords

Written by Joseph Carson

January 1st, 2019

Passwords have been around for decades now, and they aren’t going away any time soon.

And yet, password management best practices are still ignored by many. Too many people and companies are careless with password management, even though they know that a single password in the wrong hands can lead to disastrous consequences.

Tempted to keep your head in the sand and hope for the best? This is your worst possible option.

If you’re overwhelmed by the task of managing dozens, even hundreds, of personal or business passwords securely, or you’ve never had to deal with the aftermath of a hack, you may be tempted to keep your head in the sand and hope for the best. This is your worst possible option.

As recently as mid-2016 Pew Research Center reported that most Americans keep track of their online password by memorizing them or writing them down. And if they do this with personal passwords, you can be sure that some of this behavior finds its way into your office environment where the security risks are amplified.

No surprise again, 123456—possibly the worst password ever—continues to be the most used password for the 5th year in a row.

Other bad password management practices from the 1990s are also alive and well:

  • Companies still add computers to their network without changing the default, out-of-the-box password.
  • Employees still email passwords to one another.
  • Organizations still store passwords in “password protected” Excel spreadsheets (see why that’s a lousy idea), and employees still write sensitive passwords on sticky notes and paste them on their monitors or under their keyboard.
  • People still choose the worst passwords ever—Wikipedia publishes SplashData’s “List of the most Common Passwords” every year, and the old favorites are always pretty much the same.
  • Small businesses still think that implementing password management best practices is only for the ‘big guys’.

Has anything changed in password management practices?

Thankfully, yes. A lot has changed. Password management tools have become mainstream as more and more individuals and businesses have adopted them. But not nearly enough, as the Pew research suggests.

On a personal level, cyber-aware people have started using secure digital password managers across their devices. Use of password managers has resulted in people adopting best practices by default, overriding a natural inclination to be sloppy. Many have adopted 2-factor authentication, and have become more cognizant of the benefits of VPNs to further protect their passwords and other information. These individuals are aware of the value of password security and are more likely to practice better cyber hygiene in the workplace too.

On a business level, conscientious companies have installed enterprise-level privileged access management (PAM) software and are enforcing password management best practices across their organizations. PAM software has enabled companies to introduce automation to password management, so passwords can be changed, rotated, and expired on an automated schedule. Plus, passwords can be better managed when an employee leaves the company or when another high-risk event has occurred.

Password use can be tracked and reported on, and employees’ actions can be monitored and recorded as they access the sensitive information protected by company passwords. And PAM software can help companies establish and prove compliance to fulfill their industry’s audit requirements for protecting passwords.

So, what does the future hold for passwords and their security?

Passwords are the staple of secure access to accounts and sensitive information. They will remain so for the foreseeable future, despite advancements in bio-metric authentication which simply augments passwords interactions.

Criminal hackers are reaping the rewards of neglectful behavior

Knowing that so many people and organizations are still not paying much attention to their cyber security practices, criminal hackers are reaping the rewards of this neglectful behavior and have been known to observe their victims for months before making any malicious moves.

With these things in mind, I have both high hopes and some predictions for password management in 2019.

Password Management in 2019

Employees will be better educated: Password security is everyone’s responsibility

Did you know that 25% of employees use the same password for every enterprise system they access on a regular basis?

More organizations will realize that their password security is only as good as their least tech-savvy employee, and they will make cyber security education part of their on-boarding process. Corporate password protection policies will be improved and staff members, from C-level to front desk will be trained to comply. (Surprisingly, C-level execs are just as likely to have risky password habits as junior staff)

Privileged access management will take off—to the cloud!

The top privileged access management software vendors have invested a lot of effort in developing robust on-premises PAM solutions. But until recently, if you were interested in a cloud service for privileged account and access management, you’d find yourself with a scaled-back, cloud-based version of the on-premises product.

Not anymore. At Thycotic, we recognized the convenience of managing privileged accounts from the cloud, but were also aware that organizations needed much more than just a ‘cloud password manager’. They needed a powerful, full-featured privileged access management solution in a secure cloud environment. So, we created Secret Server Cloud.

Today you can quickly deploy our robust yet easy-to-use PAM solution in the cloud, and I’m confident that a lot more organizations will start reaping the benefits of cloud access and account management.

What does PAM look like in the cloud?

Naturally, I cannot guarantee you’ll get these must-have perks with every cloud-based PAM solution that comes along, but with Thycotic’s Secret Server Cloud:

1.) You’ll deploy instantly. A cloud-based PAM solution has zero hardware or infrastructure requirements.

2.) You’ll configure rapidly. An intuitive wizard-driven setup and UI makes managing privileges simple.

3.) You’ll save time and money. The PAM-as-a-service, cloud-based model means no management overhead. You pay only for the capabilities you need. And you can be protecting your privileged accounts in minutes.

4.) You’ll be operating on a platform that’s highly secure and highly available. Industry-leading privileged access controls combine with the latest in threat management and full redundancy delivered by Microsoft Azure Cloud Services.

5.) You’ll scale automatically. Easily meet fluctuating volume and performance demands, and upgrade when you’re ready.

Small and medium businesses will wake up to enterprise-level password protection

As cyber-attacks increase, more SMBs will realize that what they need is enterprise-level password management software, and they’ll be pleasantly surprised to find that it’s neither as pricey nor as complex as they imagined. So, if your company is still using 1990s password practices, or a consumer-level password manager, you have better options!

SMBs are more likely to cling to the bad password security practices of the past in the mistaken belief that nobody’s interested in their stuff—the rich pickings are over at the big guys, right? Not so. Your $500 is as good as anyone else’s to a ransomware attacker; and what cyber-criminal wouldn’t want access to your business details?

More people will add “things you don’t know” and “things you have” to their password protection arsenal

Logging into accounts using only a familiar password will become a scary relic from the past as more people and organizations add multiple authenticators to their cyber security practices.

An authenticator app on your mobile phone provides you with a second, temporary word or number (something you don’t know) which expires fast. This method of 2-factor authentication requires you to have your mobile phone in your possession (something you have), which reduces the likelihood of a third party accessing your account.

One-time passwords (OTP) will become the norm as everyone realizes that using the same password month after month is very risky behavior.

May next year be your best password security year ever!

As we begin another year of online working, storing data, banking and more, I don’t need a crystal ball to predict that 2019 will come with a generous helping of cyber-attacks and a side of ransomware and phishing scams. My hope is that the publicity generated by these cyber-attacks will result in the adoption of robust password management best practices by many more individuals and organizations.

I know for sure that we’re armed with better security solutions and more knowledge than ever before, and I encourage you to embrace both immediately so that I can wish you a Cyber-Safe New Year with the knowledge that you have to tools to do it!


Like this post?

Get our top blog posts delivered to your inbox once a month.