Password Manager? They all have massive weaknesses anyway. Can they be used in a corporate context at all? What should the CIO look out for?

First of all, we consider password managers to be an indispensable tool for companies to effectively ensure the security and management of passwords. By the way, the BSI also sees it that way and has compiled excellent information on the subject, as it often does. As a CIO, you are faced with the challenge of choosing the right password manager for your company, because the variety of manufacturers is enormous: from open source solutions, to highly integrated systems that also offer advanced features such as privileged access. In this article, we’ll cover the content points you should look for when choosing a password manager, as well as important requirements and technical differentiators. In addition, we’ll take a look at the manufacturer’s site.

Security

Security is unsurprisingly at the top of the list when choosing a password manager. Consider the following points:

  • Encryption: the password manager should use strong encryption to store and transmit passwords securely. A best practice is end-to-end encryption, where the data is already encrypted on the user’s device and can only be decrypted by the user. Relevant encryption algorithms include Advanced Encryption Standard (AES) with different key lengths (AES-128, AES-192 and AES-256), Blowfish (symmetric block cipher algorithm), TwoFish as a successor solution to Blowfish and RSA (asymmetric encryption algorithm). Beyond that, however, it’s not just about technical encryption: security-related practices such as salting, hashing and key derivation functions should also appear in the vendor’s product catalog.
  • Multi-factor authentication: A good password manager should offer the option of additionally protecting accounts by using multi-factor authentication. This provides an additional level of security.
  • Dealing with a master password: There are solutions that do not require a master password at all, e.g. by using the built-in security of a smartphone (incl. Face-ID) or alternatively YubiKey.
  • Audit and monitoring functions: To ensure security, the password manager should provide audit and monitoring functions. This allows suspicious activities to be detected and potential security vulnerabilities to be identified. This is a typical function for the enterprise application, as there is usually no SOC monitoring secure operation in the private sector.

Usability

Usability plays a crucial role as it influences the acceptance and efficient use of the Password Manager. Pay attention to the following aspects and use demos or PoC’s to not only rely on slides:

  • Ease of integration: the Password Manager should integrate seamlessly with the existing IT infrastructure. It should be compatible with common operating systems, browsers and applications.
  • Intuitive user interface: A user-friendly interface allows easy access to stored passwords, adding new accounts and sharing passwords with other authorized users. A comprehensive search function also facilitates operation.
  • Auto-complete credentials: The Password Manager should provide the function to automatically insert credentials into web forms to save users time and effort. Best via Drag&Drop, Copy2Clipboard and Auto-Type.

Scalability

When selecting a password manager, scalability is critical. Make sure that the password manager is able to handle the growth of the business and the increasing number of users and accounts. It should be flexible and allow easy management of user accounts. Scalability is of course then also a relevant issue when it comes to the price…

Support and maintenance

Reliable support and regular maintenance are important to quickly fix any problems and keep the software up to date. Make sure that Password Manager receives regular updates and patches and that good customer support is available.

Dealing with vulnerabilities (CVE)

You know the phrase that there is no such thing as bug-free software, and you can see the proof in your smartphone’s update cycle. Unfortunately, this now also applies to security-critical password managers. There have been “famous” incidents here in recent years. Currently (in the summer of 2023), the BSI is warning about vulnerabilities in the KeePassXC product. At the end of 2022, there was a high-profile incident with the popular product LastPass.
You can invest a lot of time in the selection – it will not absolutely protect you from the fact that your product will also have a relevant vulnerability soon. However, we think it is important to know how the manufacturers deal with vulnerabilities and, of course, how many vulnerabilities there are in total. On websites like the National Vulnerability Datebase (from NIST) https://nvd.nist.gov/ or https://www.cvedetails.com/ you can get a list of current and past vulnerabilities for the products.

Other technical differentiators

  • Cloud-based solutions: Some password managers offer cloud-based solutions where passwords are stored securely in the cloud. This allows easy access from different devices and provides an additional security feature.
  • Integration with Single Sign-On (SSO): Password managers that provide seamless integration with Single Sign-On (SSO) offer users an easier and more secure login process for various applications and services.
  • Password strength analysis: Some password managers offer the password strength analysis feature. This provides users with an assessment of how secure their passwords are and allows them to take appropriate action.
  • Supported operating systems: Windows is mostly the standard, but what about “niche” OSs that are relevant to you?

Manufacturer and prices

As is often the case, and especially in the context of CyberCompare, the question of the best manufacturer arises. There are particularly large and well-known providers like 1Password, KeePass, LastPass or Bitwarden, which always offer extensive features and a high level of integration.
However, there is a lot happening on the provider market, young and convincing startups are emerging and do not perform worse in a 1:1 direct comparison of important criteria.
The following is an overview of important manufacturers with equally relevant ratings on the relevant and esteemed portals of colleagues from Gartner, G2 and Capterra. In some cases, there are overlaps with so-called PAM tools (Privileged Access Management):

Before we come to the conclusion, two more sentences about the commercial framework: if you are planning the use for only a few users, e.g. admins, you can usually easily read the list prices on the manufacturer’s websites. And whether you pay 1,000, 2,500 or 3,000 EUR p.a. for 30 admins is certainly not worth extensive negotiations – you should only look at security, usability and 2-3 differentiating features.
From 100 potential users, however, individual inquiries with the manufacturer or partner are worthwhile and you will receive project prices, which you should then (the higher the price) also compare with market competitors.

Conclusion

In summary, the selection of a password manager requires a careful examination of various content-related points. Security, ease of use, scalability as well as technical differentiators are crucial criteria in the selection process. A thorough comparison of different vendors and consideration of your company’s individual requirements will help you find the right password manager that meets your needs while ensuring the security of your passwords. That’s where CyberCompare comes in, because that’s exactly what we do every day. This isn’t the first time we’ve done this, and we can give you personalized advice and make sure you’re buying a good solution at a good price. Just contact us at cybercompare@de.bosch.com

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.