Passwords, managers, SSO: what actually reduces risk

When a company talks about password security, the conversation usually ends in one of two ways. First option - they introduce a strict policy: long passwords, mandatory rotation every 90 days, no reuse. Second option - nothing changes, because "people ignore it anyway."

Both outcomes are equally useless. The first creates the illusion of security and real inconvenience. The second leaves the actual risk untouched.

The problem is that security which is uncomfortable to use does not work. People route around it. Not because they are irresponsible - but because they have work to do, and that work should not stop because they cannot log in.

Where the real risk comes from

In most cases, password-related incidents do not happen because of weak passwords per se. They happen because of:

• reusing one password across multiple services. A breach in one compromises all the others;
• storing passwords in the wrong places: Excel spreadsheets, notebooks, sticky notes on the monitor;
• phishing - where a password is entered on a fake page;
• no process when an employee leaves - their access stays active.

Forced password rotation every 90 days fixes none of these. It only adds friction.

What actually works: a password manager

A password manager solves the core problem: people no longer need to remember passwords, so they stop reusing and simplifying them. Each service gets a unique, complex password that the user never knew and never typed manually.

For the company this means:

• a breach in one service does not affect the others;
• a new employee gets access to the right resources through the vault, without passwords being sent by email;
• when an employee leaves, access to the vault can be revoked without manually changing every password.

The key condition is that the manager must be corporate, with centralised management. Personal managers on each employee's device are not a company-level solution.

What actually works: SSO

Single Sign-On - logging in through a single corporate account - solves a different problem: the number of risk points.

When an employee has 15 different services with 15 different passwords, neither the person nor the company can manage that. With SSO, all authentication logic concentrates in one place. That means:

• one strong password instead of fifteen weak ones;
• when someone leaves - one deactivation, not fifteen;
• the ability to apply additional policies (two-factor authentication) once, not fifteen times.

SSO requires investment in setup and assumes that services support integration standards. This is not a one-day solution. But for a company with dozens of employees and dozens of services, it is a systemic answer.

What does not work, even though it looks right

• Scheduled forced password rotation. Evidence suggests that when people are made to change passwords every quarter, they start making predictable substitutions. That is worse than a stable, complex password that never changes.
• Complexity requirements without tooling. If the policy demands "at least 12 characters, a digit, a special character" but provides no storage tool, the person will write the password on a piece of paper.
• Lockout after three attempts with no recovery procedure. That is just a work stoppage.

Questions to check your own situation

Before introducing new password requirements, I suggest answering a few questions:

1. Do we have a list of all services each employee has access to?
2. Do we have a procedure for revoking all access when someone leaves, and how long does it take?
3. Do we have a way to find out if a password from one of our services ends up in a public breach?
4. Do we have a corporate tool for storing passwords that people actually use, rather than formally comply with?

If any of those questions has no answer - that is where the real risk starts. Not in password length.