In this month's debate, Chris Weber, co-founder, Casaba Security, and Geoffrey Vaughan, security consultant, Security Compass, go head to head on the use of password managers in the enterprise.
Chris Weber, co-founder, Casaba SecurityPassword managers can be useful in any environment where an individual or team needs to manage a large number of credentials securely. This is particularly true with corporate IT and devops teams, which must be able to share credentials/passwords for things like private keys, deployment scripts and super-accounts. True, there's no such thing as 100 percent security, and vulnerabilities will even be found in password managers, but sometimes these are the most practical or viable option. Password managers have spread beyond the individual use-case scenario and are being embraced more in team settings. While some people may be uncomfortable with team-use, there are hardly better options available. If storing passwords through an internet service is too unsettling, users can install standalone desktop versions of trusted password managers instead. However, for those who prefer a cloud-based tool, it's recommended they use one that does not store the master password, but instead offers a more secure zero-knowledge implementation.
Geoffrey Vaughan, security consultant, Security CompassPassword managers are not foolproof. In some instances, they can expose an organization to new risks. Multiple vulnerabilities have been discovered and, as recently as this summer, researchers found critical security flaws in at least five password managers. Of particular concern is the very nature of the password manager itself – i.e., it creates a central database where all of a person's passwords are stored. Therefore, if this tool is ever compromised, the individual and/or organization will face a substantially worse outcome than if a single password-protected account had been jeopardized.
Before any organization adopts a password manager, it needs to perform an internal configuration review to make sure the app is properly configured for security and, where possible, implement multifactor authentication. Bottom line: Out of the box, not every password manager is safe enough for enterprise use. Any tool that introduces cloud sharing capabilities, cross browser/device/platform capabilities will introduce additional risk.