Why a Strong Password Policy Matters: Tips for Service Providers
Despite the evolution of authentication technology such as biometric fingerprint and iris scanners, a good amount of the IT system authentication that managed services providers (MSPs) manage still revolves around passwords. To fully grasp the sheer number of passwords MSPs are expected to manage, simply consider the number of passwords that might be involved in the network infrastructure of a single standard SMB client. There’s the server and domain admin passwords, multiple software management console passwords, the login credentials for a number of web portals, router logins, and BIOS passwords—the list goes on.
This list doesn’t even take into account user passwords, which are likely to also include pins required to unlock smartphones, database passwords, and network logins. Given the scale of the password management needs for just a single SMB client, MSPs stand to gain a lot from password management tools designed to help them implement robust password policies.
This article will help you understand what makes a strong password policy, why password policy is important, and some password management best practices for MSPs to remember. It will also give you insight into the password management tools that can help you tackle common password policy risks faced by MSPs.
What is a password policy?
To put it simply, password policies are a collection of rules created to help increase computer and network security. This usually entails encouraging or requiring users to create secure and reliable passwords by setting standards for complexity and management.
Password policies often detail how passwords should be stored, utilized, and how often they should be updated. A strong password will comply with these rules, meeting complexity, storage, and reset requirements. For example, many default password policies require a minimum length of eight characters and some combination of special characters.
Why is password policy important?
Effective password management is a crucial part of the work that MSPs do to maintain cybersecurity for their clients. Many individuals and businesses fail to recognize the importance of using complex passwords, which can have dire consequences.
It’s important to note that passwords in an organization are likely only as strong as their password policy—so setting a strong password policy will go a long way in maintaining a baseline level of security. Here are just a few examples of how failure to establish a strong password policy can impact your MSP:
1. Compromised network security
Weak or ineffective passwords give cybercriminals an easy way into your infrastructure. With a widespread amount of personal information available today on the internet, and with cybercriminals’ attack methods growing stronger by the day, sophisticated hackers can easily take advantage to crack overly simplistic passwords.
2. Lack of accountability
Advanced password policies will often also include guidelines for appropriate user authentication. On top of adding an extra layer of security, user authentication also helps MSPs and technicians keep track of who is responsible for each activity performed on company systems (or customers’ systems). When password security is overlooked, you can’t be certain that users aren’t using each other’s passwords and sharing accounts. This makes establishing accountability impossible and creates internal vulnerabilities.
3. Password reuse or sharing
Confidentiality breaches can be caused by passwords that are hacked or have become common knowledge. If discovering a user’s password is easy, leaked confidential information is a genuine risk to your organization and client security. For an MSP, this can lead to your service provider being held liable for the exposure of sensitive customer information.
Password policy best practices
These “bad” passwords weren’t just being utilized for personal use. Many users within large corporations were also using such simple passwords that could be easily hacked by cybercriminals. To mitigate the risk of cyberthreats, ensure your MSP is implementing the following best practices with a strong password policy:
One of the most effective ways of establishing a strong password policy is to enforce a level of password complexity. Requirements might include the password meeting a predetermined number of characters in length—including digits, uppercase and lowercase letters, and special characters.
Do not reuse passwords
It is key that your password policy prevents users from reusing old passwords. Some users may try to work around this by changing a single character to create a “new” password. It is important users are discouraged from doing this, as this makes passwords easier to guess in the event of a breach.
Establish forbidden words or phrases
Some of the weakest passwords include phrases or words that are easy to guess, like names, usernames, or personal information such as your date of birth and your mother’s maiden name. To prevent these words and phrases from compromising your passwords, ensure your password policy establishes which words and phrases are forbidden.
Require different passwords for each system
Require users to use a different password for each IT system. This means every password should be unique across databases, VPN, and logons. Similar to the second best practice above, this helps ensure a breach of an unrelated company or service does not compromise security across all of your accounts.
Your staff should be regularly educated on the details and importance of your password policy. They should also be trained in the risks associated with poor password management to better understand the potential consequences of failing to comply.
A password manager to aid your password policy
If you’re looking for a password management solution that can help you mitigate the risks associated with an ineffective password policy, SolarWinds® Passportal can help. This tool was designed specifically for MSPs, making it easy for you to implement best practices on behalf of your clients. It can help you develop and implement a strong password policy that serves as a foundation for your cybersecurity measures. Passportal is an all-in-one password manager, network password manager, documentation management tool, and password reset solution for Microsoft 365. To learn more, request a demo of Passportal today.