No CSO would be unaware of users' resistance to complex and often arbitrary password-management schemes, but one password-management vendor believes the battle is not yet lost as the slowly-expanding profile of password-management tools gives enterprises large and small the ability to help employees manage a swag of complex online passwords.
Although password-management tools have been around for many years, their relatively small user base has generally been limited to security-savvy individuals and businesses ready to take advantage of high-end password management tools. However, given the growing incidence of high-profile password thefts – and the introduction of mass-market, cross-device password management tools like Apple's iCloud Keychain – the profile of this category of tool is growing steadily.
“Right now the market is still at a fairly immature level,” Bill Carey, vice president of marketing and business development with password-management vendor Siber Systems, recently told CSO Australia. “People are still discovering password managers, although we're definitely seeing it adopted at the corporate and government levels.”
“Enterprises have similar problems as individual consumers have, just on a grander scale,” Carey added. “They're trying to protect all their data with strong passwords, and trying to make their employees remember strong passwords. Password-management tools can be deployed from a centralised location, with a lot of bells and whistles that allow it to be centrally managed as well.”
Using centralised password management, security administrators can send time-limited credentials for users to log into certain services, or even to mask the entire password process behind the interface of tools such as Siber's RoboForm.
“You can have employees clicking on bookmarks but they would never see the actual password for what they're logging into,” Carey explained. “That helps with management when you have to move employees: once you take away RoboForm, the employee never even knows what their password was.”
Such control is becoming increasingly important as enterprises face a growing risk from the systematic theft of what is often millions of passwords. Such attacks have changed the security landscape in recent years, with organisations like Scribd recently warning customers that their passwords were vulnerable and analyses of nearly 2 million stolen passwords confirming that users are still happy to protect their access to key business systems using old-standby passwords that are easily guessed in dictionary attacks.
This puts users at great risk of compromise if they don't become more rigorous in their use of password-management tools: Verizon regional vice president John Karabin, for one, recently told CSO Australia that greater use of such tools was “inevitable” as the breach toll continued to climb.
Given the significant number of Internet users that have yet to embrace password-management tools, the industry is still in a land-grab state, Carey said, with vendors like Apple, Google and others working to enhance their environments with password management features that seamlessly flow between desktop and mobile devices.
Such tools, however, tend to be locked into their respective operating-system platforms – creating opportunities for independent, multi-platform third-party developers as well as creating the future potential for vendors to eventually collaborate on cross-compatibility.
Another key direction for the tools will be the integration of fingerprint-scanning capabilities, allowing the password managers to become repositories for two-factor authentication information.
“Ultimately there are going to be one or two big player that will own the market, and there will be an opportunity to consolidate and have some of the bigger players work together,” Carey said.
“It would be great to work together to make some of these tools interoperable. After all, the whole idea behind all of this stuff is to make everyone's lives easier.”