Does My Firm Need a Password Manager or MFA?

password security

Creating strong, unique passwords is a simple but often overlooked component of good cybersecurity hygiene. And yet, the most common password in 2022 was “password,” followed by the equally easy-to-hack sequence “123456.” According to research from Verizon, more than 80% of hacks use stolen or weak passwords.

A strong password doesn’t just contain complex and unique characters; it’s also stored safely. When passwords are stored locally—say, in an Excel spreadsheet or text file—they’re easy for bad actors to find. This is consistently a weak point in penetration tests we run for clients.

In the financial services space especially, firms should use password managers to protect employee credentials and the sensitive information those credentials are used to access. Let’s look at how you can choose the right password manager—and layer in multi-factor authentication (MFA), single sign-on, and IP access control for an even stronger cybersecurity posture.


Password managers are great tools because they easily generate and store randomized, strong passwords. LastPass, 1Password, DashLane, and NordPass are just a few examples of password management tools available today.

The question, of course, is how to select the right one. Here are three things to look for:

1. Strong encryption

The most important thing to consider when selecting a password manager is strong encryption. While LastPass made headlines for a data breach recently, the reality is that the passwords stored in this and other password managers are difficult to crack without an encryption key. That might change in the future, but for now, a long password and encryption key is enough to make cracking the code not worth an adversary’s time. Just make sure the user (whether your company or an employee) is the one who owns the key.

2. The ability to frequently rotate passwords and document changes

Next, choose a tool that rotates passwords on a daily or weekly basis. Frequent rotation will help keep hackers from being able to access your network through practices like keylogging. Changing passwords regularly can also prevent bad actors from being able to access your network multiple times over a given period.

In addition to automatically changing the password, the tool should document the change. This is a great way to strengthen security. Let’s say an employee takes a password off-site. If the password’s been changed, it simply won’t work.


3. Rule-based access control

Finally, a good password manager will offer rule-based access control to shared resources. This applies to any user who has access to the system—not just IT managers. Employees can still use the password manager for individual accounts (i.e., setting up an account to log into a vendor’s system). But they should also be able to access shared resources based on their levels at your company.


With a password manager in place, you can then add in MFA, single sign-on, and IP access control for extra layers of protection.

You’re probably familiar with MFA in your daily life; for example, when you attempt to sign into your bank account, you might receive a text message asking you to confirm your identity. The same principle applies to corporate cybersecurity. MFA requires two or more credentials to verify a user’s log-in. The second set of credentials could be anything from a hardware token (such as a USB) to a push notification on the user’s phone.

The authentication may vary by device as well. For trusted machines, the user may be able to bypass the hardware token. But for new machines, it should always be required.

With MFA layered in, attackers won’t be able to access your systems and data even if they somehow get ahold of an employee’s password. It’s highly unlikely that they will be able to hack a second credential required for access.

Single sign-on is another useful tool to have in your cybersecurity toolkit. It is particularly useful for disabling the accounts of former employees, as deactivating single sign-on essentially deactivates all the employees’ accounts.

Finally, you can also use an IP access control list to further tighten security. With IP access control, verification is only allowed from certain IP addresses. Employees will be able to access information from the office, for instance, but not from home.


A password manager layered with MFA, single sign-on, and IP access control is non-negotiable in today’s cyber landscape. These tools will ensure your employees are using strong passwords—and that those passwords are both encrypted and protected.

ECI has helped countless financial services firms improve their cybersecurity. If you’re looking to do so in 2023 but aren’t sure where to start, contact us today.

Microsoft 365 Copilot

Speak With One Of Our Experts Today

Learn How ECI Can Unlock Real Value For Your Firm.