At Thirdbridge, providing peace of mind to our clients is at the heart of our priorities, and we believe it all starts with the reliability of our internal practices and processes. To kick off the year, we decided to revamp our password management policy. We believe that the best practices of the industry are actually outdated and have chosen to take a different approach.

In general, a traditional password management policy looks like this:

Members of Company XYZ must use passwords that meet the following criteria when using tools or systems required for their work:

• At least 10 characters;
• Contain at least one number;
• Contain at least one lowercase letter and one uppercase letter;
• Contain at least one special character.

A password must never be reused across different tools or systems. Additionally, passwords must be updated periodically, at least once every six months.

In this article, we will explain how and why Thirdbridge’s policy, centered on the use of a password manager, is much better suited to today’s reality. Specifically, we will address password entropy, uniqueness, breaches on the deep web, phishing protection, and fostering a security culture.

The Thirdbridge Version

Currently, Thirdbridge’s password management policy can be summarized as follows :

Thirdbridge members must install the 1Password application as well as the browser extension of their choice. Each password must be generated by 1Password and achieve a “Fantastic” score.

Although this formulation is very simple and does not contain specific guidelines on password content, the integration of a tool like 1Password makes it much more relevant for a variety of reasons.

Thirdbridge is neither affiliated with nor sponsored by 1Password. While the following text may sound like an advertisement, there are several competitors offering similar products. That being said, at Thirdbridge, we particularly appreciate 1Password.

A “Fantastic“ password

As mentioned in our policy, passwords must achieve the “Fantastic” score when created in 1Password. This score is based on sophisticated criteria that incorporate a multitude of parameters.

Reusing Passwords

Unless you have a photographic memory, it’s practically impossible to remember a different secure password for each digital tool used in your work. Without a password manager, the reality is that most people reuse the same password across multiple accounts, which poses a huge security risk.

By requiring the use of 1Password for creating all passwords, it automatically detects any password reuse and will not assign the Fantastic score in such cases. Problem solved!

Breach Detection

When creating a password in 1Password, an automatic check is performed to confirm that the chosen password has never been compromised in a previous breach and is not available on the deep web.

While it is true that many web browsers now offer this functionality by default, several other interfaces, especially less modern ones, lack this kind of sophisticated verification. With 1Password, this protection is systematically integrated, regardless of the interface being used.

Entropy

In extremely simple terms, entropy can be described as the level of randomness in a password. The higher the entropy, the harder it is to guess or crack the password. 1Password uses this approach to evaluate password strength, instead of relying on the inclusion of a mandatory set of characters. With this approach, it is possible to generate extremely secure passwords even for archaic systems where, for instance, the use of special characters is blocked by an enterprise firewall.

Phishing

The requirement to install the browser extension is not arbitrary. Not only does it offer a much smoother user experience, but it also helps protect against another attack vector.

During our last phishing simulation campaign, we tried to mislead people into entering their credentials on a fake platform that was visually identical to the original. Several colleagues mentioned that the lack of autofill from 1Password tipped them off. While in our case it was only a simulation, phishing remains the most common attack vector to this day! According to the 2023 State of the Phish report, no less than 84% of companies fell victim to a successful attack, sometimes with disastrous consequences.

Thus, although it is not an infallible solution against phishing like Passkeys, using the browser extension still significantly enhances the level of protection.

Security Culture

Another benefit of our approach is its increased visibility. For instance, whether during a screen-sharing session or an in-person work meeting, it’s very easy to notice if a colleague logs into a site without using 1Password. The goal is not to shame anyone or impose consequences. On the contrary, a simple friendly reminder is often enough to effectively instill proper password management hygiene.

In conclusion, we firmly believe that linking our internal password management policy to a tool like 1Password is the best way forward. Templates provided by law firms or consulting companies that merely list fixed criteria are, in our view, sterile documents meant solely to check a box in a legal or compliance process. Instead, we aim to build a company culture where security is a central element guiding our daily actions.

Thirdbridge clients can rest easy: The emphasis placed on creating secure passwords through 1Password ensures a high level of security for access to sensitive client data and their own!