What are some best practices to implement for secure employee password management?
There are many enterprise password managers available to help with employee password management. Aside from using a password manager, what else can be done to ensure that employee passwords are secure?
The general best practice says that all the users in a company must attend security awareness trainings regularly in order to be updated in infosec. The companies that provide security awareness trainings platforms have already created tons of content that remind why users should stick to particular rules when dealing with passwords. Because having password manager and using it sometimes make the difference.
Search for a product comparison in Enterprise Password Managers
Security Consultant and Cybersecurity Support at a tech services company with 51-200 employees
Real User
2020-06-19T04:09:59Z
Jun 19, 2020
One of the biggest concern is users are not restarting their windows systems for long time, which allows the attacker to steal the memory cache. So in my opinion user should schedule their system restart in timely fashion.
Director, Consulting Practice at Kenneth J Sole and Associates
User
2020-06-18T16:27:25Z
Jun 18, 2020
I am a big Lastpass user - and I utilize the analysis tool it has. In my CIO days we had 3rd party IT Controls companies come in and run password cracking tools to identify weak passwords
I am going to disregard answering from the Ransomware aspect as write access can be a problem and the mitigation is different.
As much as I love the answer from Denys, the only time employee passwords are a concern is when they are also privileged and then not managed properly.
Small company: If an employee has an account that is also privileged I recommend rotating the password daily. Active Directory can manage the AD perspective quite well requiring daily password changes and reducing the PtH (Pass the Hash) vulnerabilities.
Medium & Large company: A PAM solution can allow a privileged user to "Check Out" a password that is then immediately rotated upon check-in. Audit records, session recording and keystroke logging are a plus.
When determining the budget for this type of solution and an old maxim is recalled: "The cheap comes out expensive". Another consideration is not just financial loss, but reputation loss, when the ransom is followed up with a reputation threat, and you pay twice.
I will refrain from the High-Availability and Fail-Over discussing for brevity.
Make explicit distinction on defining what passwords are personal and what are business/work related and separate those two types in the primary stage to help/ease applying strict policy on those business/work related ones and secure them easily next to defining password vaults/environments related to departments (sales gets its own password environment, engineering gets its own etc )
There are many enterprise password managers available to help with employee password management. Aside from using a password manager, what else can be done to ensure that employee passwords are secure?
Find out what your peers are saying about Microsoft, CyberArk, Amazon Web Services (AWS) and others in Enterprise Password Managers. Updated: February 2025.
Enterprise Password Managers offer secure solutions for handling complex multi-user password requirements. They provide centralized management of credentials, enabling organizations to enhance security and compliance.By using Enterprise Password Managers, organizations can efficiently streamline password management processes, ensuring robust protection against unauthorized access. Features like audit trails, user activity monitoring, and seamless integration with existing IT infrastructures...
The general best practice says that all the users in a company must attend security awareness trainings regularly in order to be updated in infosec. The companies that provide security awareness trainings platforms have already created tons of content that remind why users should stick to particular rules when dealing with passwords. Because having password manager and using it sometimes make the difference.
One of the biggest concern is users are not restarting their windows systems for long time, which allows the attacker to steal the memory cache. So in my opinion user should schedule their system restart in timely fashion.
I am a big Lastpass user - and I utilize the analysis tool it has. In my CIO days we had 3rd party IT Controls companies come in and run password cracking tools to identify weak passwords
I am going to disregard answering from the Ransomware aspect as write access can be a problem and the mitigation is different.
As much as I love the answer from Denys, the only time employee passwords are a concern is when they are also privileged and then not managed properly.
Small company: If an employee has an account that is also privileged I recommend rotating the password daily. Active Directory can manage the AD perspective quite well requiring daily password changes and reducing the PtH (Pass the Hash) vulnerabilities.
Medium & Large company: A PAM solution can allow a privileged user to "Check Out" a password that is then immediately rotated upon check-in. Audit records, session recording and keystroke logging are a plus.
When determining the budget for this type of solution and an old maxim is recalled: "The cheap comes out expensive". Another consideration is not just financial loss, but reputation loss, when the ransom is followed up with a reputation threat, and you pay twice.
I will refrain from the High-Availability and Fail-Over discussing for brevity.
Make explicit distinction on defining what passwords are personal and what are business/work related and separate those two types in the primary stage to help/ease applying strict policy on those business/work related ones and secure them easily next to defining password vaults/environments related to departments (sales gets its own password environment, engineering gets its own etc )
There are many enterprise password managers available to help with employee password management. Aside from using a password manager, what else can be done to ensure that employee passwords are secure?