AUTH-3 Password Management Tool

What is AUTH-3 Password Management Tool Control?

Passwords are considered a key protective measure against unauthorized access.
As passwords become increasingly complex with characters and numbers, especially for critical systems, it becomes impossible to remember all of them. One of the recommended ways to manage too many passwords is to use a password management tool. It is best practice, but not mandatory.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, as we haven’t used them.

Password Management Tools

LastPass

1Password

Keeper

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version:

• N/A: no template recommendation

Control implementation

To implement this control,

Take an inventory of all administrators on critical systems. For these admins, implement a password management process. This can include the download of a password manager tool to create and record passwords in a safe vault for critical systems.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

1. Provide a screenshot of the tool and its active dashboard.
2. Provide a screenshot of the login process for the tool.

Evidence example

For the suggested action, an example is provided below:

1. Provide a screenshot of the tool and its active dashboard.
   The following screenshot shows an example of a password management tool on the dashboard.
   Google search
   
2. Provide a screenshot of the login process for the tool.
   The following screenshot shows an example of the login requirements: username and password.
   Google search