Passwork Blog

Latest — Oct 7, 2025

Passwork: Secrets management and automation for DePasswork: Secrets management and automation for DevOpsvOps

Introduction

In corporate environment, the number of passwords, keys, and digital certificates is rapidly increasing, and secrets management is becoming one of the critical tasks for IT teams.

Secrets management addresses the complete lifecycle of sensitive data: from secure generation and encrypted storage to automated rotation and audit trails. As organizations adopt cloud infrastructure, microservices, and DevOps practices, the challenge intensifies — applications need seamless access to credentials while maintaining zero-trust security principles.

IT departments and DevOps teams face situations where there are too many secrets that become difficult to structure, control, and protect. In real-world projects, these secrets scatter across config files, environment variables, deployment scripts, and occasionally surface in public repositories.

What is secrets management

Secrets management is a cybersecurity best practice and set of tools for securely storing, managing, accessing, and rotating digital authentication credentials used by non-human identities such as applications, services, servers, and automated workloads.

Such secrets include passwords, passphrases, SSH, API and encryption keys, access tokens, digital certificates, and any other credentials that enable secure access to infrastructure.

Why secrets management matters

Protecting confidential information is a key priority for any business. Secrets require strict control at every stage of their lifecycle. That's just a few benefits of proper secrets management:

Centralized storage. All passwords, keys, and tokens are stored in a single protected repository, preventing them from ending up in open docs, scripts, or source code, reducing the risk of leaks and unauthorized access.
Flexible access management. The system allows individualized determination of who can access which secrets, whether individual employees, groups, or service accounts. This helps implement the principle of least privilege and reduces potential attack vectors.
Complete control and operational transparency. Every request is logged: you can track who, when, and what actions were performed. Auditing facilitates regulatory compliance and makes security processes maximally transparent.
Automated rotation. Passwords and keys are regularly updated automatically, on schedule or when threats are detected. This saves IT resources and reduces the likelihood of using outdated or compromised data.
Integration with infrastructure and DevOps. Access to secrets is provided through API, CLI, SDK, and plugins, simplifying system integration with CI/CD pipelines, cloud platforms, containers, and databases.
Rapid incident response. A centralized approach allows quick revocation or replacement of vulnerable secrets, minimizing incident consequences and preventing threat propagation within the company.

Without a unified solution, secrets often "wander" through configuration files and source code, complicating their updates and increasing compromise risks. Corporate password managers solve this task, but not all of them support the necessary automation for modern DevOps processes.

Passwork: More than a password manager

Passwork started as a corporate password manager — a simple and convenient tool for storing credentials. But modern IT teams need more: automation, integration, and programmatic access to secrets.

With Passwork 7, the platform evolved beyond traditional password storage into a full-fledged secrets management system.

API-first architecture

Passwork is built on API-first principles. This means that every function available in the UI is available through REST API.

The API provides programmatic access to all system functions: password management, vaults, folders, users, roles, tags, file attachments, and event logs. This enables you to automate access provisioning and revocation, update passwords programmatically, integrate Passwork into CI/CD pipelines, and export logs for analysis.

Two products in one

In other words, Passwork now combines two full-fledged products:

Password manager — intuitive interface for secure credential storage and team collaboration.
Secrets management system — programmatic access through REST API, Python connector, CLI, and Docker container for workflow automation.

Automation tools

Python connector

Passwork's official Python connector eliminates the complexity of working with low-level API calls and cryptography. Manage secrets through simple methods—no manual HTTP request handling or data transformations required.

Usage example:

from passwork_client import PassworkClient

client = PassworkClient(host="https://passwork.example.com")
client.set_tokens("ACCESS_TOKEN", "REFRESH_TOKEN")  # pass tokens
client.set_master_key("MASTER_KEY")  # master key for decryption

# create vault and password
vault_id = client.create_vault(vault_name="DevOps", type_id="vault_id_type")
password_data = {
    "Name": "Database PROD", 
    "vaultId": vault_id,
    "title": "DB prod",
    "login": "admin",
    "password": "secure-password",
    "url": "https://db.example.com"
}
password_id = client.create_item(password_data)

# retrieve and use password
secret = client.get_item(password_id)
print(secret['password'])

Key features:

Simple methods like create_item(), get_item(), create_vault() handle all operations; no manual HTTP requests needed
Client-side cryptography — master key never leaves your environment
Connector automatically saves, restores, and refreshes tokens
Universal call() method enables access to any API endpoint, even those without dedicated methods

The Python connector accelerates automation and integration without unnecessary complexity.

CLI utility

For shell script and CI/CD automation, Passwork CLI provides a universal tool with two operating modes:

exec — extracts secrets, creates environment variables, and runs your process. Passwords are never saved and are only available during execution.
api — calls any Passwork API method and returns JSON responses.

Key features:

Passwords injected as environment variables
Secrets automatically loaded in CI/CD pipelines
Temporary variables enable service account operations
Native integration with Ansible, Terraform, Jenkins, and similar tools

Usage examples

Retrieve a password and execute a command:

# Export environment variables
export PASSWORK_HOST="https://passwork.example.com"
export PASSWORK_TOKEN="your_token"
export PASSWORK_MASTER_KEY="your_master_key"

# Retrieve password by ID and run MySQL client
passwork-cli exec --password-id "db_password_id" mysql -u admin -h localhost -p $DB_PASSWORD database_name

Running script with multiple secrets:

passwork-cli exec \
  --password-id "db123,api456,storage789" \
  deploy.sh --db-pass=$DATABASE_PASSWORD --api-key=$API_KEY --storage-key=$STORAGE_KEY

Getting vault list through API:

passwork-cli api --method GET --endpoint "v1/vaults"

The CLI supports tag and folder filtering, custom fields, token refresh, and flexible configuration for diverse automation scenarios.

Docker container

For CI/CD integration, the official passwork/passwork-cli Docker image enables quick CLI launches in isolated environments.

Launch example:

docker run -it --rm \
  -e PASSWORK_HOST="https://passwork.example.com" \
  -e PASSWORK_TOKEN="your_access_token" \
  -e PASSWORK_MASTER_KEY="your_master_key" \
  passwork-cli exec --password-id "db_password_id" mysql -h db_host -u admin -p $DB_PASSWORD db_name

Key features:

Ready for GitLab, Bitbucket Pipelines, and docker-compose workflows
Secrets easily passed between containers

How we automate password rotation

Regular password changes are a fundamental security requirement, but manual rotation introduces risk and wastes time. Passwork enables complete automation through the Python connector.

Rotation workflow:

Retrieve current password from Passwork (get_item)
Generate new secure password
Change password in target system (e.g., ALTER USER for databases)
Update record in Passwork (update_item)
Notify team of completion

Example implementation:

from passwork_client import PassworkClient
import secrets
import psycopg2

def rotate_db_password(passwork_host, accessToken, refreshToken, master_key, password_id, db_params):
    client = PassworkClient(passwork_host)
    client.set_tokens(accessToken, refreshToken)
    client.set_master_key(master_key)
    
    secret = client.get_item(password_id)
    current_password = secret['password']
    new_password = secrets.token_urlsafe(32)
    
    conn = psycopg2.connect(
        dbname=db_params['db'], 
        user=db_params['user'],
        password=current_password, 
        host=db_params['host']
    )
    
    with conn.cursor() as cur:
        cur.execute(f"ALTER USER {db_params['user']} WITH PASSWORD '{new_password}'")
    conn.commit()
    
    client.update_item(password_id, {"password": new_password})
    print("Password successfully rotated and updated in Passwork")

Benefits:

Fully automated rotation eliminates manual actions and human error
New password immediately available to the entire team—no delays or communication gaps

Security: Zero knowledge and encryption

Passwork implements Zero knowledge architecture: the server never accesses secrets in plain text. Even administrators with full infrastructure access cannot read your data.

Server-side encryption — All secrets stored encrypted on the server. Suitable for internal networks and standard security requirements.
Client-side encryption (CSE) — Secrets encrypted on the client before transmission; only ciphertext reaches the server. Master key derived from user's master password. Essential for cloud deployments or strict compliance requirements.

Choosing your model:

Cloud deployment or strict compliance → Enable CSE
Internal network with standard requirements → Server-side encryption sufficient

Authorization and tokens

Passwork API uses a token pair: accessToken and refreshToken.

Access token — Short-lived credential for API requests
Refresh token — Enables automatic access token renewal without re-authorization

The Python connector handles token refresh automatically, ensuring stable integrations without manual intervention.

Security best practices:

Create dedicated service accounts — Assign minimal permissions, grant access only to required vaults and folders
Rotate tokens regularly — Set expiration policies and refresh credentials on schedule
Secure token storage — Use environment variables or dedicated secret vaults (never hardcode)
Enforce HTTPS — Always use encrypted connections for API communication

Conclusions

Passwork has evolved from a password manager into a comprehensive secrets management platform. The open API, Python connector, CLI, and Docker image enable seamless integration into any workflow while centralizing secrets with granular access control.

For administrators: Reliable storage with built-in automation capabilities.

For developers and DevOps: Production-ready API and tools for secure secrets handling.

Passwork consolidates what typically requires multiple solutions into a single system with unified management. This reduces operational overhead, simplifies rotation workflows, and provides IT and development teams with transparent security controls.

As a secrets management platform, Passwork delivers protected, scalable infrastructure that adapts to your organization's needs.

See how Passwork automates credential lifecycle management in your infrastructure. Get free demo with full API access.

Passwork: Secrets management and automation for DevOps

Passwork

Sep 19, 2025 — 8 min read

Vault types

Passwork 7.1 introduces a robust vault types architecture, providing enterprise-grade access control for enhanced security and management. Vault types address a key challenge for administrators: controlling data access and delegating vault management across large organizations. Previously, the choice was limited to two types. Now, you can create custom vault types tailored to any task or organizational structure.

For each department or project, you can create a dedicated vault type, assign specific administrators, choose creator permissions, and define who can create vaults of this type.

For example, you can create separate vaults for IT department, finance, HR, or temporary project teams. Administrators assigned to a specific vault type will be automatically added to all new vaults of this type, ensuring constant control and transparency.

What are vault types

Vault types allow administrators to establish vault templates with predefined access management settings. For each vault type, you can designate specific administrators, configure vault creator permissions, and set rules or restrictions for creating new vaults.

You can organize vaults by department, project, or access level, ensuring that permissions are assigned accurately

When a vault is created, administrators specified in the vault type settings are automatically granted access. These administrators cannot be removed or demoted, ensuring that key personnel — such as department heads or IT administrators — always retain control over critical data.

Basic vault types

Passwork has two basic vault types: User vaults and Company vaults — they cannot be deleted or renamed:

User vaults: By default, these are accessible only to their creators and are categorized as either private or shared. A private vault becomes shared when the owner of this vault grants access to other users.
Company vaults: These vaults are available to both the creator and corporate administrators, who are automatically assigned access. Corporate administrators cannot be removed or demoted, ensuring continuous oversight and control.

Besides basic types, you can create unlimited custom vault types.

Advantages of vault types

Vault types empower Passwork administrators to control who can create vaults, automatically assign administrators who cannot be removed, and effectively manage creator permissions.

Constant control: New vaults of a specific type automatically include non-removable administrators, ensuring continuous access to critical data and consistent security standards across all vaults of the same type.
Permission flexibility: You can allow users to create vaults while restricting certain actions, such as prohibiting them from inviting other users.
Delegation: Vault types enable granular permission distribution — for example, the IT director can manage IT vaults, while the sales director oversees sales department vaults.
Audit and analysis: Easily view all vaults in the system, along with their types and associated users, and quickly adjust vault types as needed.
Streamlined vault creation: No need to configure permissions from scratch each time.

Vaults of all types support a multi-level, folder-based structure, allowing administrators to create hierarchies with nested elements

Managing vault types

On the Vault settings page, you can manage all vault types, view their list, and configure action access permissions. Access to this section is controlled by individual role permissions, ensuring that only authorized users can modify critical settings.

Creating vault types

You can choose from basic vault types or create your own custom types. To set up a custom vault type, click Create vault type.

The vault type creation window offers the following options:

Name — specify the vault type name.
Administrators — select users who will be automatically added to all vaults of this type with Administrator permissions.
Creator access — define the access level granted to users who create vaults of this type. For example, you can allow employees to create vaults without permitting them to invite other users.
Who can create vaults — determine who is allowed to create vaults of this type: specific users, groups, roles, or all users.

Editing vault types

Users with access to the Vault types tab can modify vault types by renaming them, adding or removing administrators, and updating vault creation permissions. To edit a vault type, select it from the list of all types and adjust the necessary fields.

If a user is added as an administrator to an existing vault type, you must confirm the request to grant them access to the corresponding vaults.

Important: When you remove an administrator from a vault type, they keep their access to all existing vaults of that type. However, you can then remove them from individual vaults or change their permissions.

Deleting vault types

To delete a vault type, select one or more types on the Vault types tab and click Delete in the dropdown menu at the top of the list.

Important: Vault type cannot be deleted if there is at least one existing vault of that type.

Audit and vault type change

On the All vaults tab, you can view all vaults along with their types, user lists, and administrators. Additionally, you can quickly change a vault’s type — for example, when a department is reorganized or a new project is created.

You have the option to filter vaults by type or display only those to which you have access.

Settings

The Settings tab makes it possible to define the minimum required access level for performing specific actions within directories, as well as set the maximum file size for attachments linked to passwords.

Migration from previous versions

When migrating from previous versions, you can assign a vault type to imported vaults in the vault import window, provided you choose the option to import to the root directory.

When upgrading from Passwork 6 to version 7, the system automatically converts existing vaults:

Private vaults remain private and receive the Private/Shared vaults type. Your permissions and access rights remain unchanged.
Shared vaults also receive the Private/Shared vaults type. All users and their permissions are preserved.
Organization vaults are converted to company vault type. Administrators are restored and become non-removable, with the access structure preserved.

Frequently asked questions

What's the difference between vault types and regular vaults? Regular vaults are containers for storing passwords. Vault types are rules and templates that define how vaults of a specific type are created and managed.
Is it mandatory to use vault types? No, using custom vault types is not mandatory. You'll always have access to basic types: private vaults for personal passwords and shared vaults for passwords users share independently.

For complex corporate structures and access policies, we recommend creating custom vault types — this ensures the necessary level of control and compliance with security requirements

How do corporate administrators differ from regular ones? Corporate administrators are users who automatically receive administrator rights in all vaults of a specific type. Assigning corporate administrators ensures permanent control over critical data.

Key features: administrators are added to vaults automatically upon creation, they cannot be removed or have their access level downgraded, and changes to the vault type apply to all vaults of that type.

Can I change administrators in an existing type? Yes, you can modify the list of administrators in the vault type settings. When adding a new user, the system automatically creates requests to add the new administrator to all existing vaults of that type.

To remove a user from corporate administrators, delete them from the vault type's administrator list and, if necessary, from all vaults of that type. As long as an administrator is specified in the vault type, they cannot be removed from individual vaults.

How do I restrict who can create vaults of a specific type? When creating or editing a vault type, go to Who can create vaults and choose one of the options: All users — any user can create a vault of this type, or limited access — only selected users, roles, or groups.
Can I change the type of an existing vault? Yes, you can change an existing vault's type, but only if you have administrator rights in that vault. When changing the type, corporate administrators of the new type are automatically added to the vault, new access rules are applied, and user connection requests are created.
Why can't I remove certain administrators from a vault? If you cannot remove administrators from a vault, they are corporate administrators. Corporate administrators can only be removed by changing the corresponding vault type setting (requires administrator rights).

Basic use cases

Prohibit private vaults creation

Task: Prevent employees from creating private vaults.
Solution: In Vault settings, open the User vaults type. In Who can create vaults, remove all users or leave only those who need to retain this right.

Vaults with mandatory administrators

Task: All vaults created by users must include corporate administrators.
Solution: In Vault settings, create one or more new vault types. In the Administrators section, add the required users (corporate administrators) — they will automatically be added to all vaults of this type with rights that cannot be changed or revoked. Prohibit creation of other vault types.

Private vaults creation without user invitation rights

Task: Allow users to create their own vaults but prohibit inviting other users.
Solution: In Vault settings, create a new type with Full access level for the creator—this level prohibits adding other users.

Delegating administrative responsibilities

Task: Configure the system so different departments or projects have their own administrators.
Solution: In Vault settings, create separate types for each department and add corresponding roles.

Limit vault management

Task: Prevent administrators from viewing the list of all vaults, managing vault types, and access level settings.
Solution: In role settings, open the Administrator role. In the Vaults section, disable the necessary permissions — you can restrict access to the section with the list of all vaults or to the entire Vault settings page.

Conclusion: Data control and efficiency

Vault types address a key challenge for growing companies: controlling data access without overwhelming the IT department. Administrators automatically gain access to new vaults of their type, while department heads can manage data independently. Passwork scales with your organization, ensuring data remains secure, processes are automated, and employees can work efficiently.

Ready to take the first step? Try Passwork with a free demo and explore practical ways to protect your business.

Passwork 7.1: Vault types

Releases

Sep 18, 2025 — 1 min read

Version 2.0.27

Further improved clickjacking protection: added blocking of clicks on hidden elements and checking for element overlap and CSS transformations
Fixed an issue when following a link from a notification to a deleted vault or password
Fixed an issue that could cause the extension to log out

Changes in versions 2.0.25 and 2.0.26

In version 2.0.25, pop-up window offering autofill was disabled to test the extension’s resistance to clickjacking attacks. Warnings about suspicious elements on webpages were also added.
In version 2.0.26, autofill pop-ups are available again, and you can now disable them for the entire organization. The extension automatically detects and blocks most common clickjacking methods.

You can disable pop-up autofill suggestions by adjusting the Content scripts setting in the Browser extension section of the system settings (available starting from Passwork 7.1.2).

The browser extension is available for Google Chrome, Microsoft Edge, Mozilla Firefox, and Safari.

Browser extension 2.0.26 release

Releases

Sep 18, 2025 — 1 min read

• Fixed an issue where a user's access level in vaults remained unchanged after the user was added as an administrator for that vault type

You can find all information about Passwork updates in our technical documentation.

Passwork 7.1.3 release

Releases

Sep 12, 2025 — 1 min read

Added an option to disable extension content scripts on the organisation level
Added an option to import passwords without names
Added more details to some of the actions in the activity log
Added a restriction on client-side changes to permissions and settings of your own role
Fixed an incorrect search behavior when adding users into a vault or a folder
Fixed an issue that caused "Action history" and "Editions" tabs not to appear under certain scenarios
Fixed an issue that caused a password attachment download to fail if the hashes did not match

You can find all information about Passwork updates in our technical documentation.

Passwork 7.1.2 release

Releases

Sep 8, 2025 — 2 min read

In the new version, we have introduced the capability to create custom vault types with automatically assigned administrators, refined the inheritance of group-based access rights and handling of TOTP code parameters, as well as made numerous fixes and improvements.

Vault types

In Passwork 7.1, you can create custom vault types with flexible settings tailored to your organization’s needs:

Each vault type allows you to assign dedicated administrators, set restrictions on vault creation and define a creator's access level
When you create a vault or change it's type, select corporate administrators automatically gain access to it. Other administrators won't be able to lower their access level or remove them altogether
Now you can set up different vault types for various departments or projects, assign relevant administrators, and configure permissions for specific tasks

Viewing all system vaults

We've added an ability to view all vaults created within the organization, including the private ones. The list displays only the names of the vaults as well as users and groups that have access to them, while the vault contents are still available strictly to users with direct access. This opens up extensive opportunities for system-wide data storage audits. Access to the vault list is determined by role settings.

Improvements

Improved the logic of inheriting access from multiple groups: now if a user belongs to groups with both "Full access" and "Forbidden" rights to a specific directory, the 'Forbidden' access level will be applied
Added "Access level required to leave vaults" and "Access level required to copy folders and passwords" settings
Added the option to show a custom banner to unauthenticated users: when the "Show to unauthenticated users" option is enabled, the banner will be visible on the sign-in, sign-up, master password and password reset pages
Added processing of digits and period parameters during TOTP code generation
Added clickable links to vaults, folders, passwords, roles, groups, and users in notifications
Added transfer of user session history when migrating from Passwork 6

Bug fixes

Fixed an issue where the 2FA setup page did not appear when logging into Passwork after enabling "Mandatory 2FA" in role settings
Fixed incorrect counting of failed login attempts with active "Limit on failed login attempts within a specified time frame" setting
Fixed an issue where mobile app and browser extension sessions were not reset after disabling "Enable mobile apps" and "Enable browser extensions" in role settings
Fixed an issue where Activity log filtered by a particular vault showed events from folders inside the vault: now, only events at the selected nesting level are displayed
Fixed an issue where a search by color tag did not work for some passwords
Fixed an issue where user data could be updated on LDAP login despite disabled "Allow user modification during LDAP synchronization" setting
Fixed an issue in the export window where unchecking all folders inside a vault also unchecked the vault itself
Fixed incorrect behavior of the "Automatically log out after inactivity" setting
Fixed incorrect display of notes
Fixed incorrect redirect to the password's or shortcut's initial directory after editing these items in Favorites
Fixed an issue where the item deletion date in the Bin was reset during migration from Passwork 6

You can find all information about Passwork updates in our technical documentation.

Ready to take the first step? Try Passwork with a free demo and explore practical ways to protect your business.

Passwork 7.1 release

Webinar

Aug 29, 2025 — 4 min read

Incident response planning — preparedness vs. reality

Introduction
Preparation and real-world testing
Coordination across teams and vendors
Tools and technologies for an effective response
Compliance and continuous improvement
Conclusion

Introduction

As cyber threats continue to evolve, organizations face increasing pressure to respond quickly and effectively to security incidents. But how well do incident response plans hold up when theory meets reality? This was the central theme of the Passwork cybersecurity webinar in August 2025, featuring insights from Prince Ugo Nwume, cybersecurity consultant at Accenture, and CircleMac, host of the Passwork webinar series.

Preparation and real-world testing

Incident response plans must be living documents, not static checklists. While tabletop exercises help teams understand their roles, only real-world simulations expose true gaps in preparedness. Annual testing is the bare minimum, in regulated industries, quarterly or biannual reviews are often required.

"Tabletop exercises are great, but you need more — actual crisis simulations and drills show what works and what doesn't" — Prince Ugo Nwume

Drills and red team challenges frequently reveal overlooked weaknesses. The cybersecurity consultant recalled a load balancer left at a disaster recovery site that unexpectedly became an entry point for attackers. Continuous improvement requires immediate after-action reviews, regular updates to playbooks, and staff training that directly addresses real-world gaps.

Coordination across teams and vendors

Clear communication and decision-making authority are critical. Effective incident response depends on cross-functional cooperation among IT, legal, HR, communications, and business units. A dedicated incident coordinator helps ensure priorities are aligned and decisions are made without delay.

"When an incident happens, every team has its priorities. You need defined lines of communication and authority — otherwise, you risk making the situation worse." — Prince Ugo Nwume

Third-party vendors, including cloud providers, add another layer of risk. Contracts should specify SLAs, audit rights, and clear escalation procedures for incident response.

"Third-party risk is always a challenge — you need to safeguard your business by demanding strong security practices from vendors" — Prince Ugo Nwume

Tools and technologies for an effective response

Technology is at the core of rapid incident response. Password managers help organizations accelerate credential resets, simplify access reviews, and contain breaches more effectively. Best practices include enterprise-wide adoption, regular audits, and immediate credential changes during an incident.

"Password managers make it easier to change credentials, monitor access, and prevent attackers from persisting in your environment" — Prince Ugo Nwume

Cloud-native environments introduce both simplicity and complexity. Shared responsibility requires clear definitions of what belongs to the organization versus the provider. Rapid communication channels and frequent contract reviews are essential for compliance and responsiveness.

Measure success by checking KPIs and benchmarks:

Mean time to detect
Mean time to resolve
False positive rates

Tracking these metrics over time enables organizations to refine their incident response programs and adapt to emerging threats.

Compliance and continuous improvement

Global organizations must align with evolving legal and regulatory requirements through annual reviews, gap assessments, and GRC oversight.

"Compliance is a moving target. You need standardized frameworks and regular gap assessments to keep up." — Prince Ugo Nwume

But technical controls alone are not enough. Responding to major incidents places enormous pressure on people. Prince stressed the importance of caring for teams.

"You need to support your team — reward their effort and build a culture where people want to step up when it matters" — Prince Ugo Nwume

Shift rotations, recognition, and a culture of resilience help ensure teams stay motivated and capable during prolonged crises.

Conclusion

Incident response planning requires ongoing preparation, cross-team collaboration, and continuous improvement. As the cybersecurity consultant highlighted, real adaptability comes from robust controls, practical training, and a culture of vigilance. Tools like Passwork and standardized procedures are essential, but success depends on adaptability and teamwork. Incident response plans must be living documents, not static checklists.

Preparation and practice are key
Cross-functional coordination and clear authority are essential
Password managers are a cornerstone of rapid response
Global compliance requires standardized frameworks
Team resilience and well-being matter

Ready to take the first step? Try Passwork with a free demo and explore practical ways to protect your business.

Incident response planning: Preparedness vs. reality

InfoSec

Aug 22, 2025 — 7 min read

GDPR password security: Guide to effective staff training

Introduction

GDPR password security is an essential component of modern data protection strategies and a key aspect of GDPR compliance. Under the General Data Protection Regulation (GDPR), organizations are legally required to implement special technical and organizational measures to safeguard personal data. Passwords remain the most common authentication mechanism, and they also represent one of the weakest links in information security when poorly managed.

According to Verizon Data Breach Investigations Report 2024, human error, including credential misuse, remains a significant factor in data breaches, accounting for a substantial percentage of incidents. This highlights the critical need for effective employee training in GDPR password security. Strong technical tools are vital, but security gaps quickly appear if employees aren’t properly trained. This article examines best practices for employee training, identifies common mistakes, and demonstrates how business can mitigate risks through practical policies and modern tools.

GDPR requires organizations to demonstrate accountability. That means it is not enough to set policies. Businesses must prove that employees understand and apply them. Password misuse remains one of the most frequent root causes of data breaches, often associated with weak or reused credentials.

From a regulatory perspective, insufficient password controls can be interpreted as a failure to apply "appropriate technical and organizational measures" under Article 32 of GDPR. This translates into direct financial and reputational risks, making cybersecurity training a critical investment.

Training employees is the bridge between abstract policy and daily practice. By equipping staff with knowledge and tools, companies not only reduce the risk of data breaches and cyberattacks but also create an auditable record of compliance.

Effective GDPR password security training is not a one-time event but a continuous process. Employees must see security as part of their daily responsibilities rather than an annual compliance requirement. These are practical recommendations for employee training:

Ongoing, concise learning
Short, frequent sessions are far more effective than long, one-off seminars. Use onboarding modules, quarterly refreshers, and targeted updates after incidents. For example, new hires can generate their first password directly in a password manager, immediately experiencing how the system enforces company-wide security policies.

Learn by doing with simulations
Real-world simulations make lessons stick. A phishing exercise or a mock "compromised shared password" scenario shows how a single mistake can endanger the organization. In the Passwork password manager, such training can be replicated when the system flags outdated or reused passwords, prompting employees to walk through the secure update workflow with full audit logging.

Modern and practical password policies
Overly complex rules often push staff into shortcuts. Instead, focus on length, uniqueness, and blocking reuse. Passwork automates this by generating strong, unique passwords and preventing weak combinations, eliminating the burden of memorization and reducing risky workarounds.

Seamless integration with daily workflows
Employees are more likely to follow secure practices when security tools are built into their routine. Passwork integrates with LDAP and SSO, allowing staff to log in with their standard corporate accounts while administrators gain centralized oversight of accounts and groups.

Role-based training and access control
Different departments face different risks: general staff deal with operational routine issues, finance teams — with fraud attempts, and IT teams manage critical systems. Passwork role-based access control (RBAC) allows employees to see firsthand that they have access only to the credentials required for their role, no more.

A no-blame reporting culture
Security only works when staff feel safe reporting mistakes. Passwork provides audit trails and real-time alerts for critical events, enabling quick remediation and turning incidents into learning opportunities instead of sources of punishment.

The most successful programs blend practical exercises, clear communication, and tools that reinforce correct behavior at the point of use. With platforms like Passwork, secure practices become effortless, turning password management from a weak point into a core strength for compliance and resilience.

Common mistakes employees make with passwords

Despite awareness campaigns, many companies continue to face recurring issues in password behavior. These mistakes point out a gap between policy and practice, where employees either misunderstand requirements or prioritize convenience over security. Recognizing these pitfalls is the first step in addressing them through training and enforcement. Even in organizations with formal password policies, employees often fall into predictable traps:

Reusing passwords across multiple systems
Choosing weak or guessable patterns such as names, dates, or simple sequences
Storing credentials insecurely on notes, spreadsheets, or messengers
Failing to update compromised passwords after breaches
Bypassing complex policies with shortcuts (e.g., adding "1!" each time)
Neglecting multi-factor authentication (MFA) setup, even when available, is a common oversight that significantly weakens access control

Passwork helps businesses eliminate these problems systematically. Zero Knowledge architecture and AES-256 encryption ensure data protection by design. LDAP and SSO integration simplify authentication, and RBAC provides granular access control so that employees only see what they are authorized to use. Multi-factor authentication (MFA) further reduces risks if a password is compromised. Built-in audit trails and real-time monitoring enable security leaders to swiftly identify and address issues such as password reuse and weak credential creation. Employees naturally adopt secure practices, closing the gap between policy and daily behavior.

Companies that fail to secure passwords face multiple risks:

Regulatory fines of up to €20 million or 4% of global turnover or non-compliance with GDPR requirements
Operational disruptions if accounts are locked or compromised
Financial loss from investigations, lawsuits, and compensation
Reputational damage and customer churn
Supply chain risks occur when compromised passwords affect partners

Password training is universally important, but some industries face higher stakes:

Healthcare. Medical records are highly sensitive and overlap with HIPAA.
Finance. Passwords protect transactions and client trust.
Legal and consulting. Compromised credentials can expose client data.
Public sector and education. High user volumes and limited budgets make password training a critical necessity.
Technology and SaaS. Shared developer credentials and API keys require strict governance and oversight.

These risks represent everyday realities across industries. The vast majority of attacks exploiting weak passwords are opportunistic rather than targeted, meaning any business that relies on outdated password practices is automatically at risk. Poor password security is no longer just an IT issue. It is a strategic business risk with legal, financial, and reputational consequences.

By adopting strong training programs and enterprise-level solutions like Passwork, organizations can transform passwords from a liability into a managed part of their security posture.

Conclusion

GDPR password security is both a compliance requirement and a business safeguard. Employee training transforms password policies from abstract rules into daily habits that protect data, reduce risk, and demonstrate accountability.

Security leaders should combine concise training sessions, simulations, practical password policies, and strong technical tools. By embedding Passwork into this ecosystem, organizations both educate staff and provide them with resources to comply effortlessly. Training is about building a security culture where GDPR password security becomes second nature, protecting the business and its customers.

Q: What does GDPR say about passwords?
A: GDPR does not prescribe exact password rules (e.g., "must be 12 characters long"). Instead, Article 32 requires organizations to implement "appropriate technical and organizational measures" to ensure data security. This is a risk-based approach. For passwords, this means your policies (length, complexity, MFA) must be strong enough to protect the specific personal data you process. A failure to enforce strong password hygiene can be interpreted as a direct violation of this requirement, leading to significant fines.

Q: How can we make security training engaging so employees actually pay attention?
A: The key is to move beyond passive lectures. Effective training is interactive and context-driven. Use gamification (e.g., leaderboards for completing security quizzes), real-world phishing simulations, and role-playing scenarios where teams must respond to a mock data breach. Tying training directly to the tools they use daily, like a password manager, makes the lessons practical. For example, instead of just talking about strong passwords, have them generate one in the company's password manager during the training itself.

Q: What are the essential components of effective GDPR training?
A: Effective programs combine GDPR fundamentals with practical application. This includes secure password creation, using password managers, multi-factor authentication, breach response procedures, and role-specific scenarios to keep the content relevant.

Q: How does password training support GDPR compliance?
A: Documented training initiatives serve as proof of "appropriate technical and organizational measures" under Article 32. Good record-keeping shows regulators that employees have been properly trained and helps organizations track progress and demonstrate accountability during audits.

Q: What metrics prove training is effective?
A: Organizations should monitor the following metrics: reduced password-related incidents, stronger password strength scores, increased adoption of password management tools, and a decline in password reset requests. These metrics provide tangible evidence that training translates into improved security.

Ready to take the first step? Try Passwork with a free demo and explore practical ways to protect your business.

GDPR password security: Guide to effective staff training

Webinar

Aug 21, 2025 — 5 min read

Cloud security: Shared responsibility or shared confusion?

Introduction

Cloud security remains one of the most debated topics in modern IT. As organizations continue their migration to cloud platforms, the question of "Who is responsible for what?" grows increasingly complex. In our latest Passwork webinar, cybersecurity lecturer David Gordon joined host Turpal to unpack the realities behind the shared responsibility model and why clear boundaries are still elusive for many teams.

"The shared responsibility model is a fundamental concept in cloud security that delineates where the cloud provider’s responsibilities begin and end, and where the client’s responsibilities begin and end" — David Gordon

The session explored practical examples, common pitfalls, and actionable strategies for CISOs and IT leaders navigating the blurred lines between cloud provider and client responsibilities.

The shared responsibility model: Theory vs practice

At its core, the shared responsibility model defines the security obligations of both the cloud provider (e.g., AWS, Azure) and the client. The provider is responsible for securing the infrastructure and network, while the client manages data, applications, and configuration within the cloud environment.

However, these boundaries shift depending on the service model:

Infrastructure as a service (IaaS). Clients carry most of the security burden, from OS patches to identity management.
Platform as a service (PaaS). Responsibility is more balanced, with providers handling the platform and clients managing data and application logic.
Software as a service (SaaS). Providers handle most security aspects, but clients must still manage user access and data governance.

While the model is theoretically clear, David highlighted that practical applications can sometimes be a little complex due to the dynamic nature of cloud services.

Where ambiguity leads to risk

Ambiguity in the shared responsibility model has been the root cause of several high-profile breaches. One of the most cited examples is the misconfiguration of AWS S3 buckets. Despite AWS securing the underlying infrastructure, clients failed to set proper permissions, resulting in sensitive data exposure.

"Some overly permissive permissions were granted to these S3 buckets, and that led to sensitive data being exposed to the public. That type of scenario is unfortunately not uncommon." — David Gordon

Other common missteps include:

Misconfigured identity and access management (IAM) rules
Failure to implement multi-factor authentication (MFA) on critical accounts
Assuming implicit security without verifying configurations

The lesson: never assume security is "built-in" by default. Clients must proactively manage their configurations and understand the nuances of each cloud service model.

Contracts, fine print, and operational realities

Cloud provider contracts aim to define shared security responsibilities, but operational realities often diverge from contractual language. CISOs and IT leaders must scrutinize the fine print, looking for:

Clear delineation of responsibilities. Understand exactly what the provider covers and what is left to the client.
Incident response procedures. Who is responsible for breach notification, investigation, and remediation?
Audit rights and transparency. Can you validate the provider’s controls and monitor their compliance?
Service-level agreements (SLAs). Are uptime, recovery, and security guarantees realistic and enforceable?

David cautioned that the detailed operational implications are sometimes not as clear as the contract language suggests, underscoring the need for ongoing review and negotiation.

Lessons learned: Avoiding misconfiguration

A recurring theme in the discussion was that most cloud-related incidents are not caused by flaws in the provider’s infrastructure, but rather by preventable mistakes made by clients. The biggest culprits are misconfigured permissions, lack of monitoring, and weak identity practices. These errors underscore the importance of treating configuration management as an ongoing discipline rather than a one-time setup. Training teams, conducting regular checks, and utilizing automated tools can significantly mitigate these risks.

"Just never assume implicit security. Yes, the cloud provider is responsible for the infrastructure, but you, the client, are 100% responsible for how you configure permissions on the cloud." — David Gordon

The webinar highlighted real-world strategies for minimizing risk and confusion:

Continuous education. Train teams to understand their responsibilities and the specifics of each cloud service model.
Regular audits. Periodically review configurations, permissions, and access controls.
Automated monitoring. Leverage tools to detect misconfigurations and anomalous activity in real time.
Collaborative planning. Foster open communication among security, IT, and business units to ensure a shared understanding.

Conclusion

Cloud security is not a static checklist — it is an ongoing partnership between provider and client. As David Gordon emphasized, "never assume implicit security." Success requires vigilance, clear communication, and a willingness to adapt as cloud services evolve.

The shared responsibility model is clear in theory, but ambiguous in practice
Misconfiguration, especially of storage and access controls, remains a leading cause of cloud breaches
Contracts should be reviewed for operational clarity, not just legal protection
Ongoing education, monitoring, and cross-team collaboration are essential for effective cloud security

At Passwork, we help organizations navigate the complexities of cloud security with tools that empower proactive management, robust access controls, and real-time monitoring. By understanding your responsibilities and building resilient processes, you can turn shared confusion into shared success.

Interested in more practical insights on cloud security? Stay tuned for our next webinar, explore our resources on password management, compliance, and insider threat prevention.

Passwork 7.1.4 release

Table of contents

Introduction

What is secrets management

Why secrets management matters

Passwork: More than a password manager

API-first architecture

Two products in one

Automation tools

Python connector

CLI utility

Docker container

How we automate password rotation

Security: Zero knowledge and encryption

Authorization and tokens

Conclusions

Further reading

Passwork: Secrets management and automation for DevOps

Table of contents

Vault types

What are vault types

Basic vault types

Advantages of vault types

Managing vault types

Creating vault types

Editing vault types

Deleting vault types

Audit and vault type change

Settings

Migration from previous versions

Frequently asked questions

Basic use cases

Prohibit private vaults creation

Vaults with mandatory administrators

Private vaults creation without user invitation rights

Delegating administrative responsibilities

Limit vault management

Conclusion: Data control and efficiency

Further reading

Passwork 7.1: Vault types

Version 2.0.27

Changes in versions 2.0.25 and 2.0.26

Browser extension 2.0.26 release

Passwork 7.1.3 release

Passwork 7.1.2 release

Vault types

Viewing all system vaults

Improvements

Bug fixes

Passwork 7.1 release

Introduction

Preparation and real-world testing

Coordination across teams and vendors

Tools and technologies for an effective response

Compliance and continuous improvement

Conclusion

Further reading

Incident response planning: Preparedness vs. reality

Table of contents

Introduction

Why training matters in GDPR password security

GDPR password security training: Best practices

Common mistakes employees make with passwords

Business risks of poor GDPR password security

Conclusion

FAQ: Frequently asked questions about GDPR password security training

Further reading

GDPR password security: Guide to effective staff training

Table of contents

Introduction

The shared responsibility model: Theory vs practice

Where ambiguity leads to risk

Contracts, fine print, and operational realities

Lessons learned: Avoiding misconfiguration

Conclusion

Further reading

Cloud security: Shared responsibility or shared confusion?