All pages
Powered by GitBook
1 of 2

Security Audit

Password security strength reporting in the Admin Console

End-User Security Audit

In each end-user's vault, the Security Audit screen provides information about the password strength and password reuse taking place. The calculation of password strength and reuse is performed continuously from the user's Vault on all platforms including Keeper Desktop, Web Vault, iOS and Android devices.

Keeper's Password 'strength' is a calculated score based on the complexity of the password, with a score rating between 0 and 100 according to the below metrics:

Weak: < 40 Fair: 40-59 Medium: 60-79 Strong: >= 80

Security Audit

Admin Console Report

To preserve Zero Knowledge, the summary of each end-user Security Audit score is encrypted with the Enterprise Public Key, then stored encrypted in the Keeper Cloud.

When the Admin logs into the Admin Console, the Audit Data is decrypted locally on the Admin Console device and made available for administrators in an aggregated format from the Security Audit screen.

Security Audit

The Security Audit screen provides summary and user-level security score information that includes:

  • Overall Security Score

  • Record Password Strength

  • Unique Record Passwords

  • Use of Two-Factor Authentication

For more information on how these scores are calculated, visit the following:

Security Audit Score Calculation

The Security Audit screen contains a table that displays the record password strength, unique record password count, and 2FA status for all users across the enterprise.

Security Audit - User Details Table

The table is sorted by default on the users’ overall Security Audit score, showing users with the lowest Security Audit score first. You can reverse this sort order or sort instead on the user's name, password strength, resued passwords, or two-factor method.

Additionally, you can filter the table on the following fields:

  • Record Password Strength: Strong, Medium, Fair, or Weak

  • Unique Record Password: Resued or Unique

  • 2FA: Text Message, Authenticator App (TOTP), Smartwatch (KeeperDNA), Security Keys, RSA SecurID, Duo Security, or No 2FA

Refreshing Security Audit Scores

Administrators can refresh the security scores on the UI without having to log out of the Console and log back in. The ability to refresh scores is useful when the admin is expecting users to log into their Vaults to have their latest security scores sync with the Console. When the user has logged into their Vault, the admin needs to simply click the Refresh Scores button to sync the latest scores to the Console.

Resetting Security Audit Scores

Administrators can reset security scores from the UI if the scores have gotten out-of-sync with user Vaults. The administrator can either reset scores for the entire enterprise using the Reset Scores button on the Security Audit screen or for specific users. Please note that only Root Admins can reset the Security Audit score.

The Reset Scores button on the Security Audit screen will reset scores for the entire enterprise. Once the scores are reset, users will need to log in to their Vaults for the scores to sync to the Admin Console due to the constraints of Keeper’s Zero Knowledge architecture.

Alternatively, the administrator can navigate to the User Details modal and select Reset Security Score under User Actions to reset individual users' Security Audit scores. As is the case with performing an enterprise-wise score reset, once the scores are reset, the user will need to log in to their Vault for the scores to sync to the Admin Console due to the constraints of Keeper’s Zero Knowledge architecture.

BreachWatch

In addition to Security Score, Keeper also provides a Dark Web scan summary of end-user passwords through the BreachWatch secure add-on.

BreachWatch alerts can be configured in the Advanced Reporting & Alerts module to alert users and Administrators when a password has been found on the dark web.

Commander CLI

The Keeper Commander CLI provides direct access to the audit data and event data, with other advanced capabilities. For more information, see the Keeper Commander reference guide and reporting commands.

Security Audit Score Calculation

Information on how the security scoring is calculated in the Admin Console

How are Security Scores Calculated?

This document will cover how the following Security Audit Scores are calculated:

Record Password Strength

The Record Password Strength score represents the percentage of record passwords, across all record passwords for all users, that are strong, medium, or weak. This score is calculated by adding all user's individual Record Password Strength, and then dividing it by the total number of records.

For each user, the Record Password Strength is calculated by the taking the number of strong, medium, or weak passwords and dividing it by the total number of records.

For example, if a user's vault has 10 total records where:

  • 6 of the records have a strong password

  • 3 of the records have a medium password

  • 1 of the record has a weak password

The Record Password Strength score for this user will be as follows:

  • Strong passwords: 6/10 = 0.6 = 60%

  • Medium passwords: 3/10 = 0.3 = 30%

  • Weak passwords: 1/10 = 0.1 = 10%

Unique Record Passwords

The Unique Record Passwords score represents the percentage of record passwords, across all record passwords for all users, that are Unique or Reused. This score is calculated by adding all user's individual unique password score, and then dividing it by the total number of records.

For each user, the Unique Passwords Record Score is calculated by taking the number of unique passwords in the user's vault and dividing it by the total number of records.

For example, if a user's vault has 10 total records where:

  • 6 of the records have a unique password

  • 2 of the records share the same password

  • 2 of the records share the same password

There are 6 unique passwords, 1 unique password that is shared between 2 records, and another unique password that is shared between 2 records. Thus, there are a total of 8 unique passwords. The Unique Passwords Record Score for this user will be as follows:

  • Unique passwords: 8/10 = 0.8 = 80%

  • Reused passwords: 2/10 = 0.2 = 20%

Two-Factor Authentication

The Two-Factor Authentication score represents the percentage of users that have enabled Two-Factor Authentication. This score is calculated by adding all the Two-Factor Authentication scores of all users and then dividing it by the number of total users.

For each user, the Two-Factor Authentication score will be one of the following values depending on whether the user has Two-Factor Authentication On or Off:

  • 0% if Two-Factor Authentication is Off

  • 100% if Two-Factor Authentication is On

Master Password Strength

The Master Password Strength is not displayed on neither the Vault Clients nor Admin Console. Instead, the Master Password Strength is displayed upon Account Creation:

Strong Master Password

For each user, the Master Password will be 100% if the Master Password's strength is Strong, and 0% otherwise.

For the overall Security Audit Score calculation, the average Master Password across all users is used.

Security Audit Score

The Security Audit Score represents the Overall Average Security Score across all your users in your organization.

For each user, the Average Security Score is calculated by taking the average of the user's score from the following categories:

Security Score Category
Values used to Calculate Average Security Score

Record Password Strength

The Strong password % is used

Unique Record Password

The Unique password % is used

Two-Factor Authentication

If Two-Factor Authentication is On, 100% is used, if Off 0% is used

Master Password Strength

If Master Password strength is strong, 100% is used, otherwise 0% used.

User's Average Security Score is calculated as follows:

User's Average Security Score = (% of Strong Password Strength + % of Unique Password + Two-Factor Authentication + Master Password Strength)/4

For example, if a user has the following scores:

  • Strong Password Strength = 60%

  • Unique Record Passwords = 80%

  • Two Factor Authentication is Off = 0%

  • Master Password Strength = 100%

The Average Security Score for the above user would be the sum of all the category scores divided by 4:

60%+80%+0%+100%4=0.6+0.8+0+14=0.6=60%\dfrac{60\% + 80\% + 0\% + 100\%}{4} = \dfrac{0.6 + 0.8 + 0 + 1}{4} = 0.6 = 60\%

FAQ

I have 0 Records, why is my Security Audit Score not 0?

Since the following variables affect the Security Audit Score:

  • Record Password Strength

  • Unique Record Passwords

  • Master Password Strength

  • Two-Factor Authentication

if the user has 0 records, this disqualifies the Record Password Strength and Unique Record Passwords variables, but the calculation of the Security Audit Score still takes the Master Password Strength and Two-Factor Authentication into consideration.

Why is my Security Audit Score negative?

Across the various Keeper Vault Clients, user's Security Scores are independently calculated which may rarely cause the overall Security Audit Scores to be negative. If the Keeper Admin Console displays negative scores, visit the following page to correct this issue.