N-able

Solutions for MSPs and IT Teams

Blog > Security

How to Build Password Policies for Your Customers

By N-able
26th April, 2019
Security

Building your customer password policy can be tricky because it needs to balance security and convenience. Too much convenience, and you lose security. Too strict, and no one will use it.

As a managed service provider (MSP), how do you create password policies that work for everyone? First, let’s look at some key elements that go into creating a comprehensive policy.

1/ Password complexity

passwords3_blog.jpgThere are several aspects you need to think about when looking at password complexity; here are some common factors to consider:

  • Character sets—A good rule of thumb is passwords should contain at least three of the four types of characters: upper case, lower case, numbers, and symbols.
  • Password length—Passwords should be a minimum of eight characters long but preferably closer to 15. You can use passphrases to make long passwords easier to remember.
  • Forbidden words—Passwords should never contain parts of the username/login, name of the service, or personal information, like date of birth or ID numbers. Also, never use the same password across different devices, such as the same password on routers and server access. And the big one for all users: Always create unique passwords; never use the same one as you have for applications like Facebook or LinkedIn, for example.

2/ Password changes

What happens when it’s time to change passwords? You need to carefully consider how often those changes need to be made. Here are some things to think about:

  • Password history—Do not reuse old passwords. Do not create “new” passwords by simply changing one character.
  • Forced password resets—Traditional password reset models dictated passwords should be changed at least every 180 days, ideally every 90 days. However, advice and guidance on this is starting to change, as this article from the SANS institute explains.

Passwords1_blog.jpgEach of the elements above offers something different in creating secure passwords. Complexity creates passwords that are harder to brute force attack or guess. Not using the same password across different logins helps protect all your accounts in the event one is breached. Forced password resets help protect against undiscovered breaches—by changing your passwords periodically, you increase your chances of having a different password when a malicious actor gets around to using one extracted from a breach. Also remember, as a company’s MSP, it is your responsibility to periodically change administrative passwords for devices and services.

The role of two-factor authentication

In addition, users need to utilize two-factor authentication (2FA) everywhere it is available—it is not available everywhere yet, but it is becoming much more prevalent—and most popular online services allow it as an option. It works by combining something you know and something you have (usually your phone) to create a more secure login. At the time of writing, it is probably one of the best available combinations of high security and ease of use.

Communicating your password policy

For MSPs, the most important part of a password policy is how it is communicated to customers. Firstly, it must be written down and readily available for reference when setting up new accounts. Some MSPs even go to the extent of adding their password policy to their contracts, so if the policy is not followed, the work to remediate any issue related to password breaches becomes billable.

Mitigating human error

Since human behavior and error are responsible for a substantial portion of breaches today—the Ponemon Institute Cost of Data Breach Study 2018 found that 27% of data breaches were caused by human error—it is highly important to educate end users on the importance of secure passwords. You can only enforce policy so much, most of the time you must rely on users making good judgement when creating and maintaining passwords.

To help this process along, many MSPs hold periodic training for their customers in order to reinforce proper security guidelines and educate on new threats. These training sessions can count as billable time or, for a fully managed plan, can be included as part of their monthly fee. The overall benefits to the MSP are less security issues and a closer relationship, not only with the customer’s main contact, but with their end users as well.

Security is of paramount importance today, and passwords are the gateway to much of the information and services that represent prime targets for malicious activity. Enforcing a solid password policy and educating your customers on proper passwords are two key pieces of the security puzzle—and very often, the hardest to put into place. Using the right balance of security and usability will help you create the right password policy for your customers.

Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a trial.

If this issue persists, please visit our Contact Sales page for local phone numbers.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site