overview of popular solutions
In this article, we will try to understand how things are with password management in companies, discuss what characteristics an ideal corporate password manager should have, and compare four popular products in this category.
Password security today
Statistics show that the password security situation is deteriorating every year. Progress does not stand still, digitalization is increasingly permeating our lives and work processes. Both the number of entry points to personal accounts and the number of passwords that need to be invented are growing – for social networks, mail, mobile banking, applications, online stores, and much more.
Since remembering several dozen different passwords, and even complex ones, is almost impossible, most often users resort to one of two options:
Every year, the same banal options win in the ratings of the most popular passwords: 123456, qwerty, 111111, password, guest, and so on. Needless to say, all such passwords are checked by a hacker program in the very first minute when an account is brute-forced.
This option is undoubtedly better than using simple passwords. But only until that second, until your complex password is compromised. After that, he will turn from a protecting padlock into a master key. If a hacker hacks at least one of the services, for example, a mailbox or a social network account, then in the absence of two-factor authentication, he can easily take over the rest of the accounts.
How are companies doing?
All of the above applies to private users. But the situation for companies is no better. Back in mid-2020, Rostelecom-Solar experts (whose corporate blog, by the way, is one of the most popular in the Security category) stated that about 80% of Russian companies do not comply with the basic password protection rules – and in almost every tested corporate network security testers were able to gain administrator privileges.
If we compare these figures with the 2009 (!) report “Analysis of password protection problems in Russian companies” by Dmitry Evteev (Positive Technologies), we will see that over the past 10 years the situation has even worsened – then only 74% of corporate passwords were recognized as insecure.
At the same time, the consequences of using weak passwords in production can be much more critical than for individuals. An individual may lose their personal and payment data, which is certainly unpleasant. However, the organization risks not only the data of all its employees, but also trade secrets, developments – and in some cases even more serious things./.
There are quite expensive, but effective IDM solutions (Identity Management). But what if there are no budgets and time to implement such products?
In this case, the optimal solution to the problem in terms of price / quality ratio will be a password manager – a program that stores passwords in encrypted form, like in a safe, from where they can be obtained on demand.
For companies, especially if the number of employees exceeds a few dozen, password managers are useful immediately for a number of reasons:
— Transparency of the situation with access to different services of employees from different departments and their differentiation;
— Bringing all employees to a single high denominator of cybersecurity;
– Easy and at the same time reliable access control when hiring and firing employees;
And as a result of all this:
— Reducing the risk of data leaks to a minimum.
At the same time, not every password manager is suitable for corporate use. The ideal candidate in my opinion would look like this:
having a boxed option (on premise, not just a cloud solution) so that you can store passwords on your own servers;
based on Open Source, so that it can be analyzed by professionals and modified by enthusiasts; fast, safe, reliable.
It’s not even worth talking about little things like reliable encryption of the AES-256 standard – this is a prerequisite today. Plus, the specific requirement of the time: due to well-known geopolitical events, some of the services left the Russian market, or it became very difficult to pay for it. Therefore, the solution should ideally be domestic, and best of all, be included in the register of Russian software.
So who to choose? We compared four possible candidates for the role of an enterprise password manager and noted their strengths.
This password manager was developed primarily for business and IT purposes, but it can also be suitable for personal needs.
Protected data is stored in virtual safe containers, which can be both personal and corporate. Safes of the second type are available for joint work within the same organization. In this case, the administrator is responsible for distributing access and setting their levels.
At the same time, there is one potentially unsafe feature in the system architecture: the user with the highest access level (super-administrator) has access to personal passwords of users with a lower status in the system.
Passwork exists in two versions, “cloud” and “boxed” – the latter is installed on the company’s own servers and works completely offline even without a network connection. Password manager options are also available as an extension for Google Chrome, Firefox, Microsoft Edge, and Safari browsers.
Product website: www.passwork.ru
One of the oldest players in the market, Bitwarden is an easy-to-use yet highly functional open source password manager that has clients for all platforms.
It should be noted that the program does not have a very impressive desktop application, but very convenient browser plug-ins and an Android version. In addition to the actual passwords, Bitwarden allows you to store bank card numbers, personal information and secure notes. The product uses end-to-end encryption.
There is also a feature to check if a particular password has been compromised.
The program has a free version, as well as a premium subscription with advanced features. The corporate version of the password manager allows you to securely share data, differentiate access levels and user groups, use secure file storage, and contains other useful features.
Product website: www.bitwarden.com
An interesting newcomer from exotic Luxembourg, Passbolt is 100% open source under the AGPL license. The program uses asymmetric end-to-end encryption supported by OpenPGP. The keys are stored on the user’s side. The product is regularly tested by professionals for safety.
The set of functionality here is standard for high-quality password managers: high-level encryption, transparency, flexible differentiation of rights and access levels. Passbolt is designed primarily for teams and for use in companies and industrial plants.
This product can be used on mobile devices and as a browser extension, synchronizing passwords in real time. A full desktop version is currently under development.
Product website: www.passbolt.com
A “boxed” open source password manager designed specifically for corporate use. The emphasis is on security: BearPass is installed on the company’s internal servers. The openness of the code allows you to view it in its entirety and modify it if you wish.
All passwords are stored centrally and securely protected by AES-256 encryption algorithms. The analytics system allows you to track insecure and compromised passwords, including through darknet monitoring, while the password itself is not transmitted anywhere in clear text. Looking at the log, you can always see who and when performed certain actions.
At the same time, even the administrator who distributes statuses in the system does not have access to personal passwords. The safes in this password manager are encrypted with a client-side master password and cannot be hacked even if you take full control of the server.
There is integration with LDAP and SSO authorization standards popular with large corporations. This is not surprising – without this, a modern password manager for business is already unthinkable.
Interestingly, updates for this product are available even with an expired license (except for paid features, of course), which allows you to maintain a level of security in any situation.
Another nice “trick” of this password is the “auto-fill” function of authorization forms through the Chrome extension – this additionally protects against keyloggers.
For small teams, the product is free.
Product website: www.bearpass.ru
From a security standpoint, perhaps the most important is the ability to deploy locally. If the password manager is installed on the company’s internal servers, it gives full control, independent of external factors. This procedure is more complicated than a cloud installation, but the result is worth it.
The “open source” nature of the program is also significant, it allows you to audit the source code at any time, which ensures transparency.
All four considered options are good in their own way. In the current Russian realities, domestic Passwork and BearPass have the greatest number of advantages.
In the context of geopolitical turbulence, the risks of cyberattacks, including phishing attacks, have increased many times over and will continue to grow, so businesses need to take care of their security starting from its foundation: secure passwords for each employee.
The choice of any particular product remains entirely your decision. But some to choose and use is necessary.