July 11, 2022

Password Management Tips for SOC 2 Compliance

Security & Compliance

The right tools will help your company pass through a SOC 2 audit with ease.

The following blog is written by our very own Nikesh Ashar, Quality Assurance lead at Cledara.

When you’re busy building a business, it’s easy to leave a topic like password security on the backburner. And with the ever-increasing list of passwords required for the growing number of software tools we all use at work, it’s really no wonder.

Single Sign-On (SSO) does a good job of solving the password management headache, but it doesn’t cover everything. You still need a system to minimize the risks associated with the use of passwords to access business tools.

In this blog, we’ll cover quick tips on how to ensure you have the right password management protocol in place on your journey to SOC 2 compliance, and we’ll share the latest Cledara data on the most popular tools used by companies just like yours today.

Standardize laptop logins

Employee laptops are gateways to company data and can be a point of attack for whoever wants to gain access to this information. With the rise in remote work, company laptops are used everywhere (even the beach), creating more opportunities for loss or theft.

That’s where a Mobile Device Management (MDM) tools come in. On top of monitoring and managing mobile devices, MDMs set parameters for passwords, require biometric identification, and easily trigger login resets if required.

Not sure which MDM to use? Scalefusion is the most popular Mobile Device Management tool used by startups and scaleups on Cledara.

Use unique passwords

People tend to use simple, repeatable passwords. In fact, the most commonly used password is ‘123456’ - yikes. It’s such an issue that Verizon estimates weak passwords cause 80% of hacking-related breaches.

We suggest you require teams to use unique passwords with special characters for any work account.

For example, a good password is: 

  • 10+ characters long
  • A mixture of uppercase and lowercase letters
  • 2+ special characters
  • At least 2 numeric characters

Additionally, some experts also recommend the use of a “seed phrase” (a collection of words). This might look something like: 


A good password manager can easily generate these seed phrases. More on this below.

For an extra layer of security, require a fingerprint login if company laptops are outfitted with fingerprint readers (like TouchID on Apple devices). Or encourage the use of SSO options from Google, Microsoft, or Okta. This enables a frictionless experience and reduces the number of passwords required.

Invest in a password manager

Did you know that on average, people reuse the same password 13 times across different applications?

Now, think about what might happen if any of those applications had a breach. Hackers know weak and repeated passwords are an easy way to gain access to valuable customer data.

A password management app stores all passwords securely, without the need for you or your employees to remember them. Shore up your defenses with strong, unique passwords for all important accounts.

As Cledara is an all-in-one software management tool used by over 800 companies, we have a lot of insight on the security tools used by startups and scaleups.

1Password is the most popular password management tool on Cledara. On top of generating unique passwords for all accounts, 1Password will alert you if company email addresses and associated passwords have been compromised by any vendor data breaches. Our customers also use LastPass and Bitwarden

A good password manager will satisfy a number of criteria for SOC 2 and its proper use will help your company achieve its compliance goals.

To discover more of the tools used by startups and scaleups, download our latest Software Buying Guide for Startups. 

Enable 2FA/MFA across applications

Most SaaS applications now offer two-factor authentication (2FA) or multi-factor authentication (MFA). When activated, it requires users to authenticate login attempts via a secondary device, such as a mobile phone.

For example, when logging in to Cledara on a new browser or device, we always confirm identity by sending a unique passcode via SMS.

You may have also seen QR codes that work with apps like Google Authenticator or 1Password to generate a temporary 6-digit code to verify logins. While this may cause friction for end-users in your team, it’s well worth the effort. At a security conference in 2020, Microsoft stated that more than 99% percent of Microsoft enterprise accounts hacked did not use multi-factor authentication (MFA). 

To sum it up

Password security is an important pillar of business compliance. Onboarding the right tools and best practices will help your company pass through a SOC 2 audit with flying colors. Here are the top tips in a nutshell: 

  • Choose strong, unique passwords
    Strong enough that only a password manager can remember it.
  • Use a password manager
    Sticky notes, notepads, Google spreadsheets – great for notes, bad for passwords.
  • Use 2FA/MFA where possible
    Deter potential hackers and get notified if anyone tries to access company accounts.
  • Don’t share passwords
    Instead, use a software management tool to easily provide access to essential tools. 

For more insights on how to improve compliance beyond password management, have a look at the compliance section on our blog.



The software management solution for finance teams.

Learn more

Subscribe to our newsletter

Receive the latest insights in your inbox

Share this post

Subscribe to our newsletter and stay informed on the latest SaaS insights

Explore more

Explore more

9 Shadow IT Risks (And How to Avoid Them)

There’s no point triple locking your door if you leave a window wide open. Here’s 9 eye-watering shadow IT risks to beware of—and how to mitigate them.
Read more

IT Governance Framework: A Guide for Enterprise Companies

IT governance is a formal way to integrate an IT strategy into an organization's business strategy. In this post, we’ll cover everything you need to know about it.
Read more

How To Protect Your Business From Toll Fraud

Business fraud can take many forms. Learn what toll fraud is and how you can protect your business with Cledara.
Read more

Process Documentation for Startups: How To Get Started + Best Tools

Documenting processes can help you optimize your workflow and reduce the growing pains of scaling your startup. Here's how to get started.
Read more

EBA Guidelines on Outsourcing Arrangements: Everything You Need to Know

Learn how to easily navigate around the latest compliance requirements by the EBA for outsourcing arrangements.
Read more

Why SaaS Management Will Help You Achieve the ISO 27001 Certification

How a proactive approach to understanding and controlling your software subscriptions can ease your road to ISO 27001 compliance
Read more

UK Companies to Comply with EBA Guidelines for Outsourcing Arrangements amid Brexit and COVID pandemic

We dug into the latest public statements by PRA and FCA on the EBA Guidelines and give you actionable advice on how to tackle their latest updates.
Read more

2020 GDPR Fines on the Rise

How one chat bot cost Ticketmaster more than a million pounds and what you can do to avoid the same fate.
Read more

SaaSOps: Your IT Team's Latest Security Challenge

COVID has accelerated migration to the cloud. And has also exposed the security of your IT structure like never before. We give you seven tips for IT professionals to tackle these new challenges.
Read more

New EBA Outsourcing Guidelines: What SaaS is Considered Critical or Important?

We dig into the jargon behind the regulation to help you understand what needs to be done with your SaaS
Read more

The Way Fintech Startups Buy SaaS is About to Change Forever

New Outsourcing Guidelines from UK and European financial regulators set new requirements for the way regulated fintech startups and other financial services companies buy and manage their SaaS.
Read more

GDPR Fines and Lessons for Startups

GDPR fines are getting larger and more frequent. An average fine is now more than $500,000, making a GDPR fine equivalent to a whole seed round!
Read more