Experts estimate that over 8 million<\/a> passwords are stolen every single day.<\/p>\n<\/blockquote>\n\n\n\n The reason why just the sheer existence of so many passwords creates vulnerabilities is because the passwords employees use at work are often considered insecure, weak, common, or even reused, and so the myriad of techniques malicious actors have at their disposal to steal, generate, and then brute force systems with passwords they\u2019ve acquired could easily grant them legitimate access to various resources. The seeming lack of effort end users put into password security is never malicious; instead, due to a variety of factors such as account sprawl, poor login experiences, and attempts to make day-to-day workflows easier, end users are not always incentivized (or empowered) to take password security seriously.<\/p>\n\n\n\n On average, most departments use 40-60 tools each<\/a>, and even if a single employee only accesses a third of those, password fatigue<\/a> is an ongoing problem. The average individual has too many accounts to keep track of password best practices for all of them. This can result in reusing the same password they use for personal accounts, to keeping a list of their passwords in a spreadsheet or even written down on sticky notes or shoved into a desk drawer. Whatever the bad practice is, it adds significant risk to your organization, which cannot be ignored.<\/p>\n\n\n\n On average, employees reuse passwords across 16 accounts.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n For these reasons, the burden of ensuring password and resource security should not fall on the end user. End users care about accomplishing their work, and they\u2019ll find ways to make their day-to-day lives easier (i.e., getting access to resources and apps quickly and easily) at any cost. For most, password security<\/a> is simply not a priority, especially considering the number of passwords needed to access all of their resources.<\/p>\n\n\n\n Account sprawl is a significant issue for many organizations, but cutting down on applications and tools is a short-term solution at best. That\u2019s why, over time, significant strides have been made to better protect passwords.<\/p>\n\n\n\n One example of this is multi-factor authentication (MFA), which has been widely adopted across both organizational and personal accounts. While MFA greatly enhances security, the continued existence and use of passwords will keep creating security problems for businesses everywhere.<\/p>\n\n\n\n For example, say an employee\u2019s information gets compromised in a data breach, and a bad actor gains access to their password. While MFA will help protect work resources, that bad actor may also have access to that user\u2019s email and many other accounts, which can allow them to bypass MFA requirements. The password is still a single point of failure in this scenario.<\/p>\n\n\n\n Another strategy for protecting resources better involves passwordless authentication, a model where users no longer need passwords to gain access to their accounts. Instead, users authenticate with safer (and more convenient) factors such as secure tokens and magic links, delivered via email, text message, or an authenticator app. However, even as passwordless authentication gains traction and organizations switch over to it, passwords will persist for a long time, which means they need to be securely managed for the foreseeable future.<\/p>\n\n\n\n Password managers were specifically created to help solve this problem, or at least mitigate its risk wherever possible, by creating a better way for end users to produce unique, complex passwords for each of their accounts. However, the original intent of password managers doesn\u2019t quite match the challenges organizations face today.<\/p>\n\n\n\n The original purpose of password managers was twofold:<\/p>\n\n\n\n They enhance password security by making it easier for users to create strong, unique passwords without the need for memorization, and they improve the user experience through simplified, digital password management instead of requiring passwords to be manually recorded somewhere insecure (such as a notebook or spreadsheet). This helps prevent password-focused attacks used by hackers to compromise accounts.<\/p>\n\n\n\n By using a password manager, organizations can also enforce password policies<\/a>, such as requiring frequent password changes or complex passwords, without imposing a burden on their employees (or themselves). In addition, password managers often include features such as two-factor authentication (2FA), which adds an extra layer of security that protects against unauthorized access. Overall, password managers are an important tool for ensuring the security of an organization\u2019s online assets and protecting against cyber threats.<\/p>\n\n\n\n And yet, devastating breaches still occur each year, compromising millions of accounts, credentials, and other personal and company information. Why? Because at the end of the day, despite the many advancements in the functionality of password manager technology, most password managers require a master password<\/strong> from the end user to grant access to their vault.<\/p>\n\n\n\n The original purpose of password managers was to improve end user password habits, but with the key to the entire password vault being yet another password, the burden of password security still falls largely on the end user.<\/p>\n\n\n\n Something needs to change in order to better protect passwords in the workplace, and that next step involves reevaluating the architecture password managers are built upon. Password management architecture<\/a> is just as important as the features and benefits the manager offers (i.e., password generation, autofilling, sharing, etc.) to end users. Over the years, significant innovation has occurred in the realm of password management features, but now it\u2019s time for the next wave of architecture updates to take place.<\/p>\n\n\n\n Currently, password management solutions fall into two categories: traditional password management solutions that are cloud-based or purely store passwords offline, and the newer, hybrid password management approach which is, as you might have guessed, a hybrid between cloud-based and offline password managers.<\/p>\n\n\n\n The first type of traditional password management solution is referred to as an offline model. Offline password managers are software programs that store login credentials on a user’s local device, rather than in the cloud.<\/p>\n\n\n\n They work by creating a secure, encrypted repository on the user’s device, and that repository is accessed using a master password. Users can then add new login credentials to their password manager by providing the website or application name, their username, and the corresponding password. The password manager will then securely store this information locally, encrypting the data contained within the vault until the proper credentials (i.e. the master username and password) are used to decrypt them for consumption.<\/p>\n\n\n\n When a user needs to log in to one of their accounts, they can simply go to the website or launch the app and use their password manager to automatically fill in their login credentials. This saves users from having to remember multiple complex passwords, and it helps to prevent password reuse, which is a common attack vector for hackers.<\/p>\n\n\n\n Offline password managers offer the advantage of being completely independent of the internet, which can be useful for users who are concerned about their online privacy or security.<\/p>\n\n\n\n With offline password managers, users will still need to create a master password that they can remember in order to access their vault. Another issue with offline managers is that they store passwords on the user\u2019s device, with no way to sync the vault across multiple devices. Instead, users have to manually copy and paste their vaults on each device they use and then keep them updated manually after that, which is tedious and inefficient.<\/p>\n\n\n\n Offline password managers are not suitable for modern, business use cases for a few reasons:<\/p>\n\n\n\n Let\u2019s recap the main benefits and limitations of traditional, offline password managers:<\/p>\n\n\n\n Benefits of offline password managers:<\/strong><\/p>\n\n\n\n Limitations of offline password managers:<\/strong><\/p>\n\n\n\n Overall, offline password managers are a good option for users who want to store their login credentials locally and who are willing to trade convenience for the added security of being disconnected from the internet. They can be a great first step toward password management in a personal context, but they become extremely inefficient in business contexts where there are many users, with multiple devices, using a hybrid or remote working strategy<\/a>, that need to collaborate and share passwords easily \u2014 with IT overseeing all of this.<\/p>\n\n\n\n The second type of traditional password management solution is cloud-based. Over the years, cloud-based architectures were developed to expand password management capabilities even further (especially as smartphones and tablets became default devices in everyone\u2019s lives). Cloud-based managers opened the doors for organizations to more effectively manage and deploy modern devices on behalf of their users.<\/p>\n\n\n\n Cloud-based password managers work by storing encrypted login credentials in an online repository accessible from any device with an internet connection. Users can access their password manager using a web browser or a dedicated mobile app, and use the password manager to store and manage their login credentials for various online accounts.<\/p>\n\n\n\n Just like offline password managers, to use a cloud-based password manager users need to create, manage, and remember a master password, which is used to access their vault. This master password should be kept secret, as it is used to encrypt and decrypt all of the login credentials stored in the password manager.<\/p>\n\n\n\n Once a user has logged into their password manager account, they can add new login credentials by providing the website or application name, their username, and the corresponding password. The password manager will then store this information in the cloud in an encrypted form. Cloud-based password managers offer business features including centralized admin management, centralized usage logging, and password sharing between users.<\/p>\n\n\n\n Just like offline password managers, when a user needs to log in to one of their accounts, they can simply go to the website or launch the app and use their password manager to automatically fill in their login credentials.<\/p>\n\n\n\n Due to cloud-based password managers\u2019 reliance on users managing the \u201cmaster keys\u201d to their vault as well as the password management vendor storing encrypted customer vaults on their cloud servers, the security of cloud-based password managers can be an area of concern. Because of the architecture they\u2019re built on, cloud-based managers offer multiple avenues for malicious parties to degrade and sometimes compromise the security of entire organizations.<\/p>\n\n\n\n Here are some of the risks associated with cloud-based password managers:<\/p>\n\n\n\n 1.5 million<\/a> new phishing websites are made monthly.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n Let\u2019s recap the main benefits and limitations of traditional, cloud-based password managers:<\/p>\n\n\n\n Benefits of cloud-based password managers:<\/strong><\/p>\n\n\n\n Limitations of cloud-based password managers:<\/strong><\/p>\n\n\n\n Overall, cloud-based password managers offer a convenient way for individuals and organizations to manage their login credentials. Cloud-based password managers make collaboration easier, and users can access their vault across multiple devices. However, the added level of convenience and sole focus on availability comes at the expense of security due to the heavy reliance on end users creating and protecting strong master passwords, as well as on the password management vendor itself.<\/p>\n\n\n\n The existence of user-created and user-managed master passwords and the centralized cloud storage of passwords are two risk factors that accompany the use of cloud-based managers.<\/p>\n\n\n\n While both traditional password management approaches tend to focus on helping ease the threat of attacks by improving weak password habits, they still require users to remember (and thus create, on their own) a master password to access their vault. Passwords are the weak links in the access chain, so this method of password storage maintains the limitation password managers intend to mitigate: the reliance on a single password that an end user must remember and that provides significant access to sensitive information.<\/p>\n\n\n\n This master password is the ultimate gateway into the password vault, and it\u2019s used to encrypt and decrypt all of the login credentials stored within the password manager. Yet, this master password cannot be stored in the vault, as it\u2019s needed to get into the vault itself; this catch-22 may lead users to reuse or create weak master passwords, or store them in an insecure, easy-to-find place, and effectively eliminate the benefits the password manager has granted.<\/p>\n\n\n\n Even if users create strong and unique master passwords, phishing<\/a> is still a common (and effective) attack tactic that has the potential to give hackers the golden key into enterprise vaults.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n Password management architecture has to evolve in a way that leaves master passwords in the dust, or the trend in breaches will continue. The good news is that there is a new way for organizations to manage passwords: a hybrid approach<\/em>.<\/p>\n\n\n\n So, what exactly is a hybrid password manager? Hybrid models use a blend of features from offline and cloud-based models; however, unlike traditional models, hybrid password managers are built upon a decentralized storage architecture. This means that password vaults are stored locally on devices, while a cloud-based system seamlessly syncs passwords between devices accessing the same vault using end-to-end encryption.<\/p>\n\n\n\n Because this architecture stores passwords locally on user devices, there is no need for a master password. Passwords are encrypted using locally generated keys that are stored in the secure storage unit of the device the passwords are on, and the vault can be unlocked using biometrics or a local PIN code.<\/p>\n\n\n\n Hybrid password managers aim to bridge the gap between security and convenience for organizations looking to securely incorporate password management into their IT technology stack.<\/p>\n\n\n\n Better Together<\/strong>: Combine a hybrid password manager<\/a> with single sign-on (SSO)<\/a> capabilities to get the best of both worlds. Provide users with a simple, convenient way to access their resources, while ensuring that their login credentials are strong, unique, and managed securely.<\/p>\n<\/blockquote>\n\n\n\n Benefits of hybrid password managers:<\/strong><\/p>\n\n\n\n Overall, a hybrid, or decentralized, password management architecture gives organizations and end users the best of both worlds while eliminating some of the issues of traditional models. Hybrid password managers make collaboration easier, facilitate remote work, allow users to easily manage passwords across all of their devices<\/a>, and give IT the control and visibility they need to maintain security. And, on top of all of these benefits, security is maintained and even enhanced through the elimination of the insecure master password that traditional models use, as well as the decentralized storage of passwords and encryption practices.<\/p>\n\n\n\n JumpCloud\u2019s open directory platform includes a password manager built on the decentralized architecture described above. Passwords are stored locally and synced in an end-to-end encrypted manner between the devices you choose, with no master password needed to access the vault.<\/p>\n\n\n\n This modern approach to password management architecture allows users to remain productive with an enjoyable, seamless experience, while promoting secure credential management practices. Enjoy the features you expect, such as autofill and auto-save, on top of easy password sharing, multi-device vault syncing, and more.<\/p>\n\n\n\n JumpCloud Password Manager also gives IT admins centralized visibility and control over password management and sharing, as well as a handful of other benefits. Some of these benefits include the abilities to:<\/p>\n\n\n\n JumpCloud Password Manager introduces a novel approach to organizational password management that aims to reduce the reliance on end users and the service provider to protect vaults while enabling business use cases and introducing high levels of added convenience across the board.<\/p>\n\n\n\n JumpCloud Password Manager is managed within the JumpCloud Console and is available as an application on Mac, Windows, and Linux. Mobile applications are also available for iOS and Android, and there are browser extensions on Chrome, Edge, Firefox, and other Chromium-based browsers such as Opera and Brave.<\/p>\n\n\n\n Let\u2019s take a look at the behind-the-scenes processes that power JumpCloud Password Manager\u2019s hybrid approach.<\/p>\n\n\n\n When users activate JumpCloud\u2019s password manager app on a new device, an AES256 key is generated in order to encrypt the vault locally. An RSA2048 key-pair is also generated for that device, which is used to encrypt and decrypt passwords that sync between multiple devices. These generated keys are stored in the secure storage unit of their respective device, such as the Apple Keychain, the Windows Credentials Manager, and the Android Keystore.<\/p>\n\n\n\n Unlike with cloud-based password managers, the password vault is not uploaded to JumpCloud servers; instead, it remains locally encrypted (using the AES256 key) and stored on the device that the password manager was activated on. This is an important difference in architecture compared to traditional approaches.<\/p>\n\n\n\n Modern employees use a variety of different devices for work, and they all need to remain in sync. JumpCloud Password Manager makes this a reality by allowing end-to-end encrypted password vault syncs between any devices.<\/p>\n\n\n\n When a user activates the password manager app on a second device, they pair their two applications by scanning a pairing code displayed on the secondary device.<\/p>\n\n\n\n This process:<\/p>\n\n\n\n Moving forward, the password vaults will remain synchronized across both devices. Whenever the user makes a change to the vault on one of the two devices:<\/p>\n\n\n\n The primary benefits of this approach are that it:<\/p>\n\n\n\n In addition to offering a secure and convenient way for users to access and manage passwords across devices without relying on master passwords, JumpCloud Password Manager offers all of the business features that organizations need.<\/p>\n\n\n\n These features include:<\/p>\n\n\n\n Modern workplaces include hybrid employees, a plethora of different devices, and a strong need for collaboration, so IT admins need an easy and secure way to view and manage access to set users up for success.<\/p>\n\n\n\n JumpCloud Password Manager can be centrally managed by IT admins from a cloud-based console. Admins have access to all major features that they expect out of a modern password management solution, including the abilities to:<\/p>\n\n\n\n On top of IT admins getting centralized control over who gets enrolled or removed from shared folders or even the password manager itself, they also need high visibility into user vaults to ensure that compliance and security initiatives are being met. An organizational password management solution isn\u2019t complete without the ability for users to easily share passwords with each other. With JumpCloud Password Manager, users can securely share passwords with varying permission levels using a decentralized approach, similar to the process outlined above regarding cross-device password syncing.<\/p>\n\n\n\n When a user is added to a shared folder, they are granted one of three different permissions by the folder admin(s). Users can become a:<\/p>\n\n\n\n When a change is made to a password in a shared folder, the app that made the change encrypts then signs a \u201csync\u201d message with the public keys of every member of the folder. These \u201csync\u201d messages are then relayed through JumpCloud servers to all of the apps of the different users in the folder.<\/p>\n\n\n\n It seems natural that modern password managers can support the needs of in-house IT departments, as well as MSPs and VARs, but this is not the case for many cloud-based managers.<\/p>\n\n\n\n However, JumpCloud Password Manager offers a multi-tenant admin console<\/a> which allows partners to add password management to their service offering, while easily supporting and managing each client\u2019s password manager setup, all from a single console, but within a unique interface for each.<\/p>\n\n\n\n This simplifies the task of deploying and managing a password manager across a wide range of clients without having to manage numerous parent accounts that each require their own set of unique credentials to access. Because of this, JumpCloud Password Manager is a perfect solution for MSPs and VARs that have previously struggled to include password management as part of their service offering.<\/p>\n\n\n\n The needs of IT professionals vary, but they tend to intersect at the same place \u2014 finding a way to easily and securely manage identities, access, and devices without breaking the bank or adding too many different tools into their stack.<\/p>\n\n\n\n This is where JumpCloud\u2019s open directory platform<\/a> comes in handy \u2014 not only does JumpCloud offer a modern, decentralized password management solution as a core part of the platform, but it also includes all of the features you need and expect for comprehensive identity, access, and device management. This allows IT admins and MSPs to manage SSO, MFA, and password-based authentication across their organizations from one consolidated admin console.<\/p>\n\n\n\n JumpCloud Password Manager\u2019s hybrid, decentralized architecture is a new and modern approach to password management that was created with both security and ease of use in mind. It includes all of the business features you expect a robust password manager to have, while providing a new convenient and secure way to store, manage, and share passwords.<\/p>\n\n\n\n JumpCloud Password Manager is also part of a much bigger story. JumpCloud\u2019s open directory platform houses its password manager among many other capabilities. Think: SSO, MFA, conditional access, open integration capabilities, robust identity and access management, cross-OS device management, Cloud LDAP, Cloud RADIUS, and so much more.<\/p>\n\n\n\n![\"Easy](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/10\/password.jpeg\")
<\/figure>\n\n\n\n![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\"\/){kind=icon}
<\/p><\/div>Progress Toward Password and Account Protection<\/h2>\n\n\n\n
Multi-Factor Authentication<\/h3>\n\n\n\n
Passwordless Authentication<\/h3>\n\n\n\n
Password Managers<\/h3>\n\n\n\n
The Creation of Password Managers<\/h2>\n\n\n\n
\n
![\"\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/02\/202301-WP-PasswordManager-man-using-laptop-pwm-overlay.jpg\")
<\/figure>\n\n\n\nTypes of Password Managers<\/h2>\n\n\n\n
Offline Models<\/h3>\n\n\n\n
How Offline Models Work<\/h4>\n\n\n\n
Limitations of Offline Models<\/h4>\n\n\n\n
\n
\n
\n
Cloud-Based Password Management Models<\/h3>\n\n\n\n
How Cloud-Based Models Work<\/h4>\n\n\n\n
Limitations of Cloud-Based Models<\/h4>\n\n\n\n
\n
<\/p><\/div>\n
\n
\n
The Challenge With Traditional Architecture<\/h2>\n\n\n\n
<\/p><\/div>Hybrid Models (Decentralized Architecture)<\/h2>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/02\/202301-WP-PasswordManager-hybridmodel.jpg\")
<\/figure>\n\n\n\n\n
\n
JumpCloud\u2019s Hybrid Password Manager<\/h2>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/01\/jumpcloud-password-manager-main.png\")
<\/figure>\n\n\n\n\n
Vault Storage<\/h3>\n\n\n\n
Vault Syncing Between Devices<\/h3>\n\n\n\n
\n
\n
\n
Business Use Case Features<\/h3>\n\n\n\n
\n
Centralized Admin Controls<\/h4>\n\n\n\n
\n
Centralized Vault Visibility<\/h4>\n\n\n\n
With JumpCloud, IT admins get full visibility over users\u2019 passwords at the organizational level, at the shared folder level, and at the end user level. This does not mean that admins can see users\u2019 passwords \u2014 rather, it means that they have the ability to:<\/p>\n\n\n\n\n
Password Sharing<\/h4>\n\n\n\n
\n
How Password Sharing Works<\/h4>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/02\/202301-WP-PasswordManager-hybrid-arch-jc.jpg\")
<\/figure>\n\n\n\nMulti-Tenant Capabilities<\/h4>\n\n\n\n
Unified Access Management From a Single Admin Console<\/h4>\n\n\n\n
Compare JumpCloud to Traditional Password Managers<\/h2>\n\n\n\n
Feature<\/strong><\/td> Offline Password Managers<\/strong><\/td> Cloud-Based Password Managers<\/strong><\/td> JumpCloud Password Manager<\/strong><\/td><\/tr> Storage of passwords<\/strong><\/td> Local on a single device<\/td> The cloud<\/td> Local and automatically synced in an end-to-end encrypted manner across multiple devices<\/td><\/tr> Access via user-managed master password<\/strong><\/td> Yes<\/td> Yes<\/td> No<\/td><\/tr> Centralized admin controls<\/strong><\/td> No<\/td> Yes<\/td> Yes<\/td><\/tr> Centralized admin visibility<\/strong><\/td> No<\/td> Yes<\/td> Yes<\/td><\/tr> Multi-tenant capabilities<\/strong><\/td> No<\/td> Depends on vendor<\/td> Yes<\/td><\/tr> Native integration with cloud directory, SSO, and MFA<\/strong><\/td> No<\/td> No<\/td> Yes<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Take a New Approach to Password Management<\/h2>\n\n\n\n
![\"Password](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/11\/Password-Manager.png\")
<\/figure>\n\n\n\n