JumpCloud recently held a webinar to discuss how password management fits within an organization’s Identity and Access Management (IAM) stack.
Our host, JumpCloudian Allison Casto, was joined by Antoine Jebara, co-founder and GM of MSP Business, and Rob McGrath, product manager, in discussing the relevance of password management and how JumpCloud Password Manager helps organizations build a comprehensive identity strategy. Below is a recap of the key points discussed during the webinar.
Passwords have long been heralded to be on their way out. With several authentication methods now available to organizations, passwords no longer enjoy the center stage of their identity access management strategy.
However, no thanks to a combination of factors, it doesn’t appear that passwords are going away completely, forever — just yet.
So, what’s an organization to do?
Should they focus solely on their other authentication methods and hope that passwords die a quicker death? Or should they face the inevitable fact that passwords are sticking around a bit longer than we thought and must be effectively managed?
This post discusses why password management is relevant today and how organizations can include it in their access management strategy.
Password Management: Why Bother?
Almost two decades after Bill Gates first predicted the end of passwords, passwords no longer form the core of most organizations’ access management strategy. But here’s why organizations must pay attention to password management:
Passwords are the most common authentication method, and for good reason. First, they’ve been around for far longer. Second, passwords are a right-out-of-the-box feature in almost all devices. This is more than can be said for other modes of authentication such as biometric recognition or smart cards.
The net effect is, despite organizations’ less reliance on them, passwords are likely to hang on till, at least, other authentication methods become as commonplace.
Organizations must have a password management strategy to protect themselves from the vulnerabilities that passwords pose. From phishing to physical theft, and even dumpster diving, passwords pose the most risk of enabling authorized access.
Throw in the rising cost of data breaches — 4.5 million dollars as of 2022 — coupled with the fact that 80% of data breaches are caused by weak or reused passwords, then it’s clear why IT teams cannot afford to be lax in their password security approach.
Single Sign-On (SSO) Challenges
In developing their IAM strategy, many IT teams have had SSO play a significant role in their strategy. SSO enables users to log in once to all the company resources they need to get their work done.
This is mostly done by coupling SSO with push authentication, biometric recognition, and other authentication modes.
Sometimes, however, users will not be able to use SSO to get into some paywalled web-based apps. Or sometimes, they may have to use some shadow IT tools which aren’t part of the company’s infrastructure.
In such instances, password usage creates a gap which password management must bridge, or organizations risk security exposure.
Password Managers + Types
Password managers are software that securely stores and protects users’ login information. Although they typically maintain records of usernames and relevant passwords, they also offer additional storage options. This includes addresses, card details, etc.
There are three major types of password managers:
Offline Password Managers
These password managers store and encrypt passwords locally on a user’s endpoints but don’t sync the password across different devices. Thus, users can only use the password manager on one device outside the box.
Offline password managers are rather unfit for enterprise use cases because they don’t grant admins with centralized visibility and control. What they lack in convenience however, they make up for in security. Offline password managers are not susceptible to network or server attacks since they store and encrypt passwords on the user’s device.
Cloud-Based Password Managers
Cloud-based password managers store passwords in a vault which is itself located on the password manager servers. The passwords are encrypted with a key called the “Master Password.” The user is tasked with creating, remembering, and protecting this master password.
Users access the information in cloud-based password managers using a combination of their email and the master password.
These are more convenient since users can access them on multiple devices. Plus, they give a high level of visibility and control to admins. However, they make a huge trade-off in security as their effectiveness depends on the user’s ability to create and protect a strong master password.
More worryingly, hackers can also breach password manager servers and gain access to users’ passwords.
Hybrid Password Manager
A hybrid password manager, such as JumpCloud Password Manager, works by combining the best traits of the first two types of password manager.
It uses a decentralized storage architecture where passwords are stored locally on the user’s endpoints. Next, it generates a key for encrypting the passwords in a vault.
This vault then syncs across other devices on JumpCloud’s network, thereby making simultaneous login possible.
It also allows users to share passwords with other users in the organization. What’s more? A hybrid password manager facilitates an environment where admins have visibility and control but without being able to see the user’s password unless where it is shared with them.
An inherent advantage of JumpCloud’s password manager is that reliance is not placed on a user’s ability to create and protect a master password. Thus, users can authenticate access to this vault using biometrics, Windows Hello, or other local authentication means.
JumpCloud Password Manager: Fitting Into a Larger Ecosystem
JumpCloud developed its sophisticated password manager in response to growing demand from organizations. The password manager provides a single-point solution for IAM needs, reducing tool sprawl and lowering IT costs.
The password manager integrates with the JumpCloud open directory platform and greatly complements other tools such as multi-factor authentication (MFA), SSO, conditional access, etc.
Besides its benefits as an important part of a larger ecosystem, JumpCloud Password Manager is also a superior option because it eliminates the dilemma of choosing between convenience and security.
The manager increases users’ productivity and generally makes for a better experience. It saves users’ time and effort that would otherwise have been spent writing out passwords of shadow IT resources on Post-it Notes and Google Sheets. It does this by storing and auto-filling passwords across websites, mobile apps, and desktop apps.
The password manager also enables users or teams to share passwords with other colleagues without compromising security.
JumpCloud Password Manager also provides a seamless experience for admins as it is deployed and managed through one console. Plus, it gives them a high level of visibility and control over user passwords. For example, the password manager gives admins insight into users’ password strength and reuse cases without revealing the passwords themselves.
Leverage JumpCloud’s Password Manager Today
As passwords continue to stick around, IT admins must understand how to fit password managers into their organizations’ IAM strategies.
With JumpCloud’s hybrid password manager being the perfect mix of security, visibility, control, and convenience, password management just became less of a pick-your-poison dilemma.Learn more about JumpCloud’s password manager and watch a demonstration of it in this webinar.