Why Password Management Architecture Matters

In your organization, employees’ digital identities, and more specifically their passwords, are the keys that grant access to your most valuable resources and data… and it’s estimated that over 8 million passwords are stolen every single day. All passwords are at risk, all of the time, and the burden of ensuring they are complex enough to reduce the threat of compromise falls too heavily on the end user. 

Employees care about accomplishing their work, and they’ll find ways to make their day-to-day lives easier (i.e., getting access to resources and apps quickly and easily) at any cost. For most, password security is just not a priority, especially considering the sheer number of passwords needed to access all of their resources. This leads to heavy password reuse, sprawl, and common password use due to password fatigue. 

Password managers were created to help solve this problem, or at least mitigate risk wherever possible, by creating a better way for end users to produce unique, complex passwords for each of their accounts. Over the years, cloud-based architectures were developed to expand capabilities even further (especially as smartphones and tablets became default devices in everyone’s life), and opened the doors for organizations to more effectively manage and deploy them on behalf of their users. And yet, devastating breaches are still occurring each year, compromising millions of accounts, credentials, and other personal and company information. Why? Because at the end of the day, despite the many advancements in functionality of password manager technology, the burden of password security still falls largely on the end user.

Something needs to change in order to better protect passwords in the workplace, and that next step involves reevaluating the architecture password managers are built upon. Password management architecture is just as important as the features and benefits the manager offers (i.e., password generation, autofilling, sharing, etc.) to end users. 

Let’s dive into different password manager architecture setups to truly evaluate the security problem at hand and discuss a modern solution.

Types of Password Managers

The password managers that you’re used to, leverage either a traditional offline model or a cloud-based model, both of which have a centralized architecture that stores credentials in a single vault, accessed via a master password. The evolution of this architecture and the features and benefits they provide follow a similar pattern in the larger tech space.

Offline Models

Offline password managers are software programs that store login credentials on a user’s local device. They work by creating a secure, encrypted repository directly on the user’s device, which can be accessed using a single master password. 

Benefits of offline password managers:

• Local, offline password storage reduces the potential exposure of sensitive information.

Limitations of offline password managers:

• Passwords cannot be accessed on multiple devices without manual user effort.
• No centralized admin controls or usage logging make it challenging for IT admins to deploy and manage users effectively.
• No password sharing capabilities between users means resources that require shared accounts cannot be stored and maintained effectively or securely.

Cloud-Based Models

Cloud-based password managers work similarly to offline managers in that they store credentials in a single, encrypted vault; however, these vaults live within an online repository, which can be accessed from any device with an internet connection. Users can typically access their password manager vaults using a web browser (through a web-based portal or supported browser extension) or a dedicated mobile or desktop app, and they can use it to store and manage their login credentials for various online accounts. A master password is used to gain access to the cloud-based vault, which may have additional layers of security (such as multi-factor authentication) if supported by the vendor.

Benefits of cloud-based password managers:

• Users can access password vaults from multiple devices, with credentials always in sync between them.
• Centralized admin controls and usage logging give IT admins better visibility and management capabilities to enforce best practices.
• Password sharing capabilities between users which helps reduce friction.

Limitations of cloud-based password managers:

• Vault security rests on end users’ ability to create, manage, and remember strong master passwords, which can be difficult to enforce beyond training.
• Phishing is a growing threat, and with users in charge of the master keys, we will continue to see more and more organizations get compromised.
• Password management service providers, if compromised, can lead to the mass exfiltration of encrypted customer vaults which gives hackers enough time to try to gain access to the encrypted vaults by attempting to guess weak and reused master passwords.

Hybrid Models (Decentralized Architecture)

As the name implies, hybrid models use a blend of features from offline and cloud-based models; however, unlike offline and cloud-based models, hybrid password managers are built upon a decentralized storage architecture. This means that password vaults are stored locally on devices, while a cloud-based system is used to seamlessly sync passwords between devices accessing the same vault using end-to-end encryption.

Benefits of hybrid password managers:

• No master password required.
• Local password storage.
• Users can access password vaults from multiple devices, with credentials always in sync.
• Centralized admin controls and usage logging give IT admins better visibility and management capabilities to enforce best practices.
• Password sharing capabilities between users which helps reduce friction.

The Challenge With Traditional Architecture 

While traditional password management solutions tend to focus on helping ease the threat of attacks by improving weak password habits, they still require users to remember (and thus create, on their own) a master password to access their vault. Passwords are the weak links in the access chain, so this method of password storage maintains the limitation password managers are intending to mitigate: the reliance on a single password that must be remembered by an end user that provides significant access to sensitive information.

This master password is the ultimate gateway into the password vault, and it’s used to encrypt and decrypt all of the login credentials stored within the password manager. Yet, this master password cannot be stored in the vault, as it’s needed to get into the vault itself… a catch-22 that may lead users to reuse or create weak master passwords, or store them in an insecure, easy-to-find place, and effectively eliminate the benefits the password manager has granted.

Even if users create strong and unique master passwords, phishing is still a common (and effective) attack tactic that could potentially give hackers the golden key into enterprise vaults. And what’s more, recently reported incidents with password management vendors highlight the fact that compromised cloud storage infrastructure can lead to malicious parties downloading entire databases of encrypted customer vaults. The contents within the vaults are protected with extensive encryption technologies, but if copied and extracted, criminal hackers can spend an infinite amount of time attempting to access customer vaults by brute-forcing the master passwords of end users.

How a Decentralized Architecture Helps to Address Some of the Limitations of Cloud-Based Password Managers

Decentralized password management architecture creates a system where the password vaults are stored locally on user devices and are synced in an end-to-end encrypted manner between multiple devices through the use of cloud servers. 

This approach does not rely on users having to create, manage, and remember master passwords which helps address some of the limitations of cloud-based password managers.

JumpCloud’s Hybrid Password Manager

JumpCloud’s open directory platform includes a Password Manager built on the decentralized architecture described above. Passwords are stored locally and synced in an end-to-end encrypted manner between the devices you choose, with no master password needed to access the vault. This modern approach to password management architecture allows users to remain productive with an enjoyable, seamless experience, while promoting secure credential management practices.

The JumpCloud Password Manager is managed within the JumpCloud Console and is available as an application on Mac, Windows, and Linux. Mobile applications are also available for iOS and Android as well as browser extensions on Chrome, Edge, Firefox, and other Chromium-based browsers such as Opera and Brave.

With JumpCloud, vault syncing between a user’s different devices is simple. The user will pair the devices by scanning a pairing code, and the vault is then encrypted and synced across the devices through JumpCloud servers. Once this is done, when the user makes changes to the vault on one device, the change is automatically synced and reflected across all connected devices through end-to-end encryption.

The JumpCloud Password Manager also gives IT admins centralized visibility and control over password management and sharing, as well as a handful of other benefits. Some of these benefits include the abilities to:

• Easily enroll users and teams into the password manager.
• Terminate users’ access which results in their password vaults getting wiped from all devices.
• Get granular control over the access levels of users to shared folders.
• View password strength dashboards to spot weak and reused passwords.
• View password vault metadata to see which passwords are being managed and shared by users in the organization.
• View usage logs to see which users used or viewed certain passwords.

To learn more about how JumpCloud’s hybrid password management solution works and how it differs from traditional password architecture, connect with us today – schedule a demo.