Password Management Tips for SOC 2 Compliance

The right tools will help your company pass through a SOC 2 audit with ease.
Password Management Tips for SOC 2 Compliance

The following blog is written by our very own Nikesh Ashar, Quality Assurance lead at Cledara.

When you’re busy building a business, it’s easy to leave a topic like password security on the backburner. And with the ever-increasing list of passwords required for the growing number of software tools we all use at work, it’s really no wonder.

Single Sign-On (SSO) does a good job of solving the password management headache, but it doesn’t cover everything. You still need a system to minimize the risks associated with the use of passwords to access business tools.

In this blog, we’ll cover quick tips on how to ensure you have the right password management protocol in place on your journey to SOC 2 compliance, and we’ll share the latest Cledara data on the most popular tools used by companies just like yours today.

Standardize laptop logins

Employee laptops are gateways to company data and can be a point of attack for whoever wants to gain access to this information. With the rise in remote work, company laptops are used everywhere (even the beach), creating more opportunities for loss or theft.

That’s where a Mobile Device Management (MDM) tools come in. On top of monitoring and managing mobile devices, MDMs set parameters for passwords, require biometric identification, and easily trigger login resets if required.

Not sure which MDM to use? Scalefusion is the most popular Mobile Device Management tool used by startups and scaleups on Cledara.

Use unique passwords

People tend to use simple, repeatable passwords. In fact, the most commonly used password is ‘123456’ - yikes. It’s such an issue that Verizon estimates weak passwords cause 80% of hacking-related breaches.

We suggest you require teams to use unique passwords with special characters for any work account.

For example, a good password is: 

  • 10+ characters long
  • A mixture of uppercase and lowercase letters
  • 2+ special characters
  • At least 2 numeric characters

Additionally, some experts also recommend the use of a “seed phrase” (a collection of words). This might look something like: 

Teal-cashback-please-today

A good password manager can easily generate these seed phrases. More on this below.

For an extra layer of security, require a fingerprint login if company laptops are outfitted with fingerprint readers (like TouchID on Apple devices). Or encourage the use of SSO options from Google, Microsoft, or Okta. This enables a frictionless experience and reduces the number of passwords required.

Invest in a password manager

Did you know that on average, people reuse the same password 13 times across different applications?

Now, think about what might happen if any of those applications had a breach. Hackers know weak and repeated passwords are an easy way to gain access to valuable customer data.

A password management app stores all passwords securely, without the need for you or your employees to remember them. Shore up your defenses with strong, unique passwords for all important accounts.

As Cledara is an all-in-one software management tool used by over 800 companies, we have a lot of insight on the security tools used by startups and scaleups.

1Password is the most popular password management tool on Cledara. On top of generating unique passwords for all accounts, 1Password will alert you if company email addresses and associated passwords have been compromised by any vendor data breaches. Our customers also use LastPass and Bitwarden

A good password manager will satisfy a number of criteria for SOC 2 and its proper use will help your company achieve its compliance goals.

To discover more of the tools used by startups and scaleups, download our latest Software Buying Guide for Startups. 

Enable 2FA/MFA across applications

Most SaaS applications now offer two-factor authentication (2FA) or multi-factor authentication (MFA). When activated, it requires users to authenticate login attempts via a secondary device, such as a mobile phone.

For example, when logging in to Cledara on a new browser or device, we always confirm identity by sending a unique passcode via SMS.

You may have also seen QR codes that work with apps like Google Authenticator or 1Password to generate a temporary 6-digit code to verify logins. While this may cause friction for end-users in your team, it’s well worth the effort. At a security conference in 2020, Microsoft stated that more than 99% percent of Microsoft enterprise accounts hacked did not use multi-factor authentication (MFA). 

To sum it up

Password security is an important pillar of business compliance. Onboarding the right tools and best practices will help your company pass through a SOC 2 audit with flying colors. Here are the top tips in a nutshell: 

  • Choose strong, unique passwords
    Strong enough that only a password manager can remember it.
  • Use a password manager
    Sticky notes, notepads, Google spreadsheets – great for notes, bad for passwords.
  • Use 2FA/MFA where possible
    Deter potential hackers and get notified if anyone tries to access company accounts.
  • Don’t share passwords
    Instead, use a software management tool to easily provide access to essential tools. 

For more insights on how to improve compliance beyond password management, have a look at the compliance section on our blog.

Subscribe for more SaaS Insights

Join our newsletter to stay ahead of the curve in all things SaaS.

Try Cledara today

Join our 700+ customers to manage all your SaaS in one place with Cledara.

Jenny Liu
Head of Finance @ Marshmallow

Book a demo