News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Protect your organisation
  3. Critical Controls
  4. Password managers

Password managers

The intent of this control is for organisations to provide a password manager tool to all staff who have access to organisation systems and accounts. This tool should be widely used, and passwords are only stored in approved, secure, ways.

What is a password manager?

The most common way to authenticate to a system is by providing a username and password. The problem with passwords is that once they are lost or guessed, it's no longer a secret or secure. At NCSC we see a lot of unauthorised access incidents which are caused by issues related to password management. This includes incidents where the passwords were:

  • reused in other systems or accounts that had their passwords leaked,
  • easy to guess personal information that may be available on the internet or commonly used passwords or patterns,
  • set to the default values when the software was originally installed, or
  • stored in plaintext documents which were read by an attacker.

Providing your staff with a password manager is the most effective way to enable them to use unique and strong passwords, and to enable better password hygiene. In combination with Multi-Factor Authentication (MFA), this will prevent most of the unauthorised access incidents and reduce the harm of phishing or credential theft.

Password managers:

  • encrypt, store and protect all your passwords so no one else can access them,
  • allow you to generate passwords made up of a random, unique string of characters,
  • keep track of your passwords so you don't have to remember them all – you only have to remember one master password, and
  • can be used to store other information securely, like pin numbers or multi-factor authentication (MFA) recovery codes.

When you set up a password manager, you create a 'master password' to use when you access your safe. Once you have your online account details stored in the password manager, the master password is the only one you must remember. The password manager will do the rest for you.

Choosing a password manager

Long, strong and unique passwords can save your organisation from the common password spray, brute force, and password reuse attacks we see. Choosing and providing a password manager can help your staff keep them secure.

Below are the steps you can follow to roll-out and manage password managers in your organisation.

Find a tool that suits your needs

There are many different password managers out there. If you want your team to use one, it must suit their needs and be easy for them to use. 
There will also be security features you need to check. The best way to select the right tool is to find a small group of products that have the security features you need and then pick the password manager that has the features your staff need.

Cloud vs local?

One of the first decisions to make is whether to use a cloud-based password manager or host it locally. 

Cloud-based options can be more flexible to access from wherever you need, easier to set up and easier to maintain. However, it does require trusting the provider implementing multi-factor authentication. Locally hosted options require putting less trust in external parties but will require ongoing maintenance. It can limit your ability to access from external locations such as staff working remotely.

Security features

The first important feature your password manager needs is strong encryption algorithms and practices. 

Encryption algorithms, like software, can have vulnerabilities that allow people to decrypt the data without having the original private key. It’s important the password manager you select uses up-to-date encryption algorithms. Also ensure it uses multiple layers of encryption, so one weakness does not lead to the compromise of a database.

Strong encryption key practices are also important, especially if you are considering cloud-based password managers. Password managers rely on the concept that only the end user can decrypt the database with their master password. If the tool provider maintains their own access or a copy of your master password so they can decrypt the database, this can introduce a lot of risk.

It will be important to use this check to exclude any password manager tools that are not clear or open about how their tool protects your passwords. To find this information, you can start by searching to see if there are any documents or papers that explain the security that goes into the tool you are assessing.

Other important security features to consider are:

  • multi-factor authentication (MFA) for accessing the password database. This is especially important for any end users who are storing sensitive passwords or if the password manager is cloud-based,
  • there is no ability to reset master passwords without MFA. Password reset functions are often abused to bypass authentication. Having it so users can’t reset their master password is the best way to ensure this process can’t be used as a bypass technique,
  • how to share secrets with external parties. You may need to share passwords or other secrets with support vendors, and your password manager should help you manage this in a safe and secure way, and
  • logging of all activity in the password manager. Having logs of who accessed what passwords, and when, is particularly important if you have any shared passwords. You’re also likely to want to log authentication, both successful and unsuccessful, to assist detecting account compromise.

End user features

Once you have picked the security features that are important to your organisation and have used those to pick tools that fit that profile, you can consider other end user features. These features might increase the security risk, or what they call “attack surface”, of the tool, but these features will also allow your users to use the password manager without friction.

Common end-user features that are considered include:

  • desktop software, browser plugins, and mobile apps. Accessing your password manager through different channels increases the risk that one of those channels might have a security weakness or vulnerability. However, these channels might be helpful to your team being able to access the passwords when and where they need them. Consider if your team often uses laptop software, mobile apps, or their browser for accessing web apps. This can help you determine if using a tool with multiple channels is worth the trade off with the security risk,
  • shared vaults and passwords. There will be passwords your teams will need to share, like passwords to service accounts or social media accounts that only allow one user. Shared passwords also come with security risks, and you will want to make sure they are only shared with the people who need access to them. You should have features that allow you to see every time a user views or copies a password to allow for limited traceability,
  • password generators. Most password managers have inbuilt functionality to generate passwords or passphrases, which can be set to generate minimum or maximum length passwords. This can make it easier for your users to create strong passwords.

Once you have the security and end user features you need, you can start trialling different tools to see what might work best.

Some internet browsers have built in password managers that can store credentials for online accounts and services. These are commonly used by individuals, however it’s unlikely to be fit for purpose for an organisation as in-browser password managers only store credentials for accounts and services that are logged into via the internet browser.

Once you have tested and confirmed the best option for your organisation, it’s time to start rolling it out. 

How to roll out a password manager

Once you’ve chosen a password manager for your organisation, you need to have a clear communications strategy to explain the benefits of this tool, so your people understand its use.

Configure policies and develop guides

Once you have decided on a tool, you will need to set clear policies and configure the tool to support these.

Common configuration options to look at

Each password manager will have different configuration options you can utilise. You will want to set these up before you roll out to users to make sure the first experience your staff have is positive and consistent. 

There are a few configurations you may need to think about.

  • When is multi-factor authentication required? For logging into the tool or accessing specific password groups or vaults.
  • Password policy for the master password. This will be the password that unlocks the user’s password database, so it’s important that it’s long, strong, and unique.
  • Standard password policy for any auto-generated passwords. This will make sure each password that is auto-generated for the users is long and strong too.
  • Single-sign on (SSO) integration. You may want to allow users to log in using their organisation credentials, or even SSO so they don’t need to enter a username and password. This is not recommended for administrative accounts.
  • Requiring an up-to-date app or software. The tool can check the current version of the software, app, or browser is being used before allowing them to unlock the database.
  • User event and audit logging. This could track any successful and failed attempts, access to vaults, viewing of passwords, and any sharing of passwords or vaults.
  • Firewall and access control rules. This would prevent users from specific IP addresses, locations, or sources from trying to access the tool.
  • Organisation-specific groups and vaults. This would allow your users to create passwords they can share with others in the event they have accounts with only one pair of credentials.
  • Password breach notifications. This would notify you if a system or website your team uses recently had a password breach, which means they may want to reset their passwords. This can also prevent people from using passwords that have been in previous breaches.

Guidelines and support

You will need to have guides and information to support your team in understanding how they can use the tool depending on the configurations you have set. It is important to make the documentation in a format and language that is right for the audience, and sometimes this means making multiple documents that all have the same key messages.

A good way to make these guides is to introduce the tool to a pilot user group first. Ask for their feedback on what documentation might be helpful for people like them.

A lot of staff might use their work devices for some limited personal use. This might mean they may be prompted to store personal credentials in their work password manager. Be clear in your guides on how people can use the password manager tool for both work and personal use. If you don’t allow them to use it for both, often password manager tools provide free personal versions. This could be a good middle ground.

Enrol your users

The next step in the roll-out of a password manager is to enrol the users. If you have a large organisation, doing a small pilot test may help you work out any problems in the process, configurations, or guides before you roll it out wider.

Your goal should be to onboard everyone in the organisation who has online accounts or devices. Rolling it out team-by-team is a way to improve the uptake. 

You could work with each team and make sure they:

  • download the right app or software, create an account under your organisation and can set their master password,
  • add the passwords for their key accounts. If the passwords are flagged as weak, they re-save any new passwords,
  • add other measures, such as:
    • multi-factor authentication backup codes,
    • knowledge based question answers (which can also be auto generated like a password), or
    • physical codes, such as door PIN codes, and
  • know where to find the guides and get help if they have a problem.

Ongoing support and monitoring

Make sure your staff onboarding includes setting up the password manager. You should provide ongoing support to ensure your staff understand how to use the password manager and they are not falling into old habits of storing passwords in plaintext files.

How to measure success

A successful password manager control will look very similar across organisations, although the tools used may vary. The goals for your organisation are:

  • there is a password manager tool that is approved to be used within your organisation and provided to all staff,
  • this tool is known, and all staff are encouraged to use it, with widespread adoption,
  • your organisation can control user access to the tool so you can invite staff and set organisation-wide policies,
  • policies are set to auto-generate long and unique passwords,
  • there are guides and support for all staff to know how to set a master password and how to use the password manager tool,
  • logging is configured for any stored passwords that are shared (and can’t be unique), such as organisation social media accounts, and
  • the approved password tool enforces MFA.

Key takeaways

  • Weak or reused passwords remain a common cause of incidents. If your staff aren’t using strong, unique passwords on all systems, it might be because they don’t have the right tools. A password manager is one of the few tools that can help your teams create unique passwords easily. It is a low-cost tool that can have a high impact and value when implemented well.
  • Widespread use of a password manager requires buy-in from everyone. A tool that is too difficult to use will not be adopted by your staff. You will need to balance the end user needs with the security features most important to your organisation. You should trial a few password managers with a group of users to see what they are confident in navigating and using before enforcing one tool for everyone. If you pick one without making sure your users are confident in using it, you might find it won’t be used at all.

Related information

Multi-factor authentication and verification