Does the team use a password manager (1Password, Bitwarden, etc.)?
Demonstrate that all team members use an approved enterprise password manager to store and manage credentials, eliminating weak passwords, password reuse, and insecure credential storage practices.
Description
What this control does
This control verifies that the organization mandates and enforces the use of enterprise password manager solutions (such as 1Password Business, Bitwarden Teams, or equivalent) for storing and managing credentials. Password managers generate strong, unique passwords for each service, eliminate password reuse across systems, and provide centralized visibility into credential hygiene. Enforcement typically includes organizational policy, endpoint deployment verification, and integration with identity provider systems to prevent storage of credentials in unsecured locations like browsers, spreadsheets, or plaintext files.
Control objective
What auditing this proves
Demonstrate that all team members use an approved enterprise password manager to store and manage credentials, eliminating weak passwords, password reuse, and insecure credential storage practices.
Associated risks
Risks this control addresses
- Credential stuffing attacks succeed due to password reuse across multiple services and personal accounts
- Weak or predictable passwords allow brute-force authentication attacks against corporate systems
- Credentials stored in plaintext documents, spreadsheets, sticky notes, or browser storage are exposed during endpoint compromise or insider threats
- Shared team passwords distributed via email or chat channels are intercepted or remain accessible after employee departures
- Lack of centralized credential inventory prevents timely password rotation following security incidents or vendor breaches
- Phishing-resistant autofill capabilities are absent, increasing successful credential harvesting from social engineering attacks
- Audit trails for credential access and sharing do not exist, preventing forensic investigation of unauthorized access events
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's password management policy, including approved tools, mandatory use requirements, and enforcement mechanisms
- Request documentation of password manager procurement and licensing showing enterprise-tier subscriptions with administrative controls
- Interview IT or security leadership to confirm deployment method (centrally managed, MDM-enforced, or user self-installed with verification)
- Select a representative sample of 15-20 employees across departments and request screenshots or live demonstrations showing active password manager browser extensions or desktop applications
- Review the password manager's administrative console to verify active user enrollment numbers match expected workforce headcount within acceptable tolerance
- Examine password manager audit logs for a 30-day period to confirm regular usage patterns (vault unlocks, credential retrieval events) for sampled users
- Test whether the password manager integrates with SSO or MFA systems and enforces master password complexity requirements per organizational policy
- Validate that automated onboarding workflows provision new employees with password manager access within first-day orientation processes