Are password managers safe for enterprise use?

The risks of password managers

The benefit of password managers is they consolidate passwords into a single point of entry through which users manage access to their accounts. The downside is they consolidate that risk into a single point of failure.

For organizations, the value proposition of a password manager is that it has better security than the operational security team, which could be you or your organization. To that end, a user's password is safer with a password manager specifically geared to protecting data.

That isn't always the case.

Past attacks on password managers

Password managers have been the target of many sophisticated -- and not so sophisticated -- attacks over the last few years. The following are some of the most recent:

• In August 2022, LastPass detected unauthorized access to its development environment, leading to the theft of source code and technical information. Subsequently, in December 2022, attackers accessed customer data, including encrypted password vaults. The security of these vaults depended on the strength of users' master passwords. In March 2023, LastPass confirmed that attackers had stolen password vault data by compromising an employee's home computer via a vulnerability in third-party software and then installing a keylogger to obtain the master password.
• In January 2023, Norton LifeLock warned customers of a credential-stuffing attack targeting Norton Password Manager accounts. Attackers used previously compromised credentials to access user accounts, potentially exposing stored passwords.
• In November 2024, Okta disclosed a vulnerability that allowed users to bypass password verification for usernames exceeding 52 characters under specific conditions. The flaw, present since July 2024, was rectified by switching from the Bcrypt algorithm to Password-Based Key Derivation Function 2.

So, are password managers safe?

Given the success of these attacks, should organizations use password managers? As the examples above illustrate, they are vulnerable to attacks. On the other hand, asking users to manage passwords in their heads is also risky.

If your organization opts to use a password manager, carefully evaluate real use cases, and discuss how a breach could affect sensitive data. Most experts agree that password managers are indeed safe but not impenetrable. Be sure to assess vendors and products carefully, and only choose an enterprise-grade option. Look for advanced encryption, MFA and other emerging features, such as behavior analysis.

If your organization feels password managers aren't worth the risk, consider NIST's Special Publication 800-63B-4. It recommends doing away with password complexity requirements, such as special characters, numbers, uppercase, etc. NIST also suggests companies eliminate the requirement that passwords must be renewed on a set schedule and only reset passwords if they have been breached.

These pointers, if adopted, de-escalate the password creation side of the arms race. Now, that doesn't mean users are off the hook. Looking at the science of creating strong passwords, length eclipses complexity quickly. It is better to have a long, simple password than a short, complex one. Therefore, it makes sense to implement passphrases that are easy to remember. Think "how now brown cow" or "the squirrel stockpiles acorns."

Ushering in less complex -- and more usable -- passwords might even make it possible for organizations to get rid of their password managers altogether, leaving their safety a moot point.

Matthew Smith is a vCISO and management consultant specializing in cybersecurity risk management and AI.