# Password manager

**What is a password manager?**

A password manager is an application that stores a company's login credentials in an encrypted vault and enters them when you sign in. You remember one strong master password, and the manager generates and keeps a separate long password for every service you use.

The case for a password manager rests on a plain human limit: nobody can memorise many different strong passwords. So the same password gets reused, often with a small variation at the end. When a provider is breached and credentials are stolen there, attackers automatically try the same combination at other services. This technique is called credential stuffing, meaning the automated testing of stolen credentials against other providers. A separate random password for each service confines the damage to that single service.

Inside a company the question goes beyond your own Windows password. Certain accounts are needed by several people: the company mailbox, online banking, the accountant's portal, the internet domain settings, the router login, the social media accounts. Credentials like these easily end up in a spreadsheet, on a sticky note or on a slip of paper in a drawer. A password manager with team features holds them in shared folders, releases them to defined roles and makes it traceable who has access to what. When someone leaves, you withdraw access and change the shared passwords without having to guess which ones they knew.

An obvious objection is that every password now sits in one place. The vault is encrypted and readable only with the master password. Three things matter here. The master password is long, ideally a phrase made of several words that only you know. Access to the manager is additionally protected with two-factor authentication, meaning a second proof of identity alongside the password, such as a confirmation on your mobile phone. And there is an emergency route in, for instance a sealed envelope in the safe, so the business can carry on if the responsible person is unavailable for a longer period.

The first sensible step is a list of accounts ranked by the harm that misuse would cause: online banking, company email, domain administration, remote maintenance, accounts, the customer database. Those go into the password manager first, each with a freshly generated long password and, wherever the provider supports it, with a second factor. Everything else follows gradually during ordinary work, whenever a password has to be typed anyway.

How credentials are managed, whether accounts of former staff remain active, and whether the important logins carry a second factor are among the points recorded by the IT-Check. A 20-minute initial consultation is at no charge and clarifies whether an audit suits your business.

## Related terms
- [Two-factor authentication (2FA)](https://vetosec.at/en/it-security/zwei-faktor-authentifizierung/)
- [Password attack](https://vetosec.at/en/it-security/passwortangriff/)
- [Permission model and least privilege](https://vetosec.at/en/it-security/berechtigungskonzept/)

## Source
https://vetosec.at/en/it-security/passwortmanager/ (vetosec, schutz)
