3.4 Baseline for Security – Password Management

Needed capacities or functions - Password Management 

  1. Educate staff on password security and best practices, such as avoiding using the same passwords for multiple accounts, not sharing passwords, and not writing down passwords in order to safeguard client and confidential data.  
  2. IT-related credentials should be stored in a reputable, secure password manager system, and vault ownership should be given to an institutional IT email address (such as it@organization.org) and not an individual user. 

Important Considerations and Best Practices 

Organizations should strongly consider implementing password management software organization-wide for all employees for secure storage and centralized management of all work-related credentials. 

IT should subscribe to CISA.gov updates and vendor notifications or advisories for the password manager to stay up to date on potential security threats or vulnerabilities of its software and service.  

IT should consider backing up its password manager or retaining a secure local copy in the event that a cloud-based password manager has an outage or experiences possible technical issues.  

In addition to IT-related credentials, organizations may want to consider storing other credentials for accounts that have sensitive data, such as HR, Finance, etc. 

In addition to providing training and education to staff on password security, organizations may consider implementing a policy requiring periodic password changes to critical systems. However, required password changes should not occur so frequently as to interfere with staff access to systems, or encourage the creation of passwords that are too similar and less secure. 

Useful websites, resources, and other tools