If you’re scratching your head not knowing what passwords to use the next time you need to generate a considerable amount of new passwords for customers, one piece of the puzzle is knowing the types of passwords NOT to use.
When thinking of new passwords, refrain from using values known to be commonly used, expected, or compromised, a National Institute of Standards and Technology (NIST) study reveals.
NIST established four main types of passwords that are easily cracked:
- Passwords obtained from previous breach (don't just tack a '1' at the end)
- Dictionary words (eg. apple)
- Repetitive or sequential characters (e.g. aaaaaa, 1234abcd)
- Context-specific words, such as the name of the service, the username, or derivatives (e.g. MSP1, password1, ADMIN)
Implementing a password tool can help automate password generation at any frequency. This saves the hassle and alleviates technician time.
4/ Use multifactor authentication (MFA)
Using multifactor authentication (MFA) is absolutely critical in today's industry. With all the advanced persistent threats (APTs) that have been increasingly targeting MSPs recently, using a multifactor authentication will add another layer of security for you and your customers.
5/ Employ access management for privileged credentials
Threats exist for MSPs from external and internal sources and you need to know about them. Whether it is an external hacker or rogue employee, exfiltration can happen through a number of angles. Ensuring you have adequate access management is vital to prevent these types of breach.
6/ Know the right way to generate complex passwords
Protect your business by using complex strings of nonreused passwords. Combine this with a password generation tool as a simple solution to manage all your passwords effortlessly. To help keep your passwords unique and hard to breach, maintain at least a 16-character count with the following four tips in mind:
- Three to four random words (e.g. Lights, Tech, Clouds)
- Upper- and lowercase (e.g. LightsTechClouds)
- Numbers (e.g. LightsTechClouds9)
- Special characters/symbols (e.g. LightsTechClouds9%)
Implementing a password generator tool with an automated function that creates complex password strings that are stored and rotated within the tool itself means there’s no need to memorize 1000+ passwords or think of the copious amounts of unique words, characters, symbols, and more for each individual password.
7/ Harness the power of automation
When it comes to best practices in password security, there is one crucial component that is often overlooked or ignored, and that is password rotation. As an MSP managing a multitude of passwords for a variety of organizations, the idea of changing even one password can be daunting. Since password rotation refers to changing all the passwords on a variety of systems on a frequency basis, where does an MSP start and when should passwords be renewed?
MSPs should be rotating passwords on all:
- Customer's systems accounts
- Network appliances
- Cloud services and portals
- Line of business applications
- AND do not forget about your own technicians
But what about frequency?
It is recommended to change all passwords on these terms:
- Instantly (if a breach occurred—remember not to recycle credentials)
- 3 months minimum (for credentials that give access to sensitive data)
- 6 months maximum (Covers all your bases and solves existing/former staff knowing privileged credentials)
Deploying a password management tool can enable you to do automate this whole process!
8/ Eliminate the need for password resets
If you could pinpoint that one thing that is eating up all your technicians’ time, what would it be? Is there something weighing heavy on your service desk and stacking up all your tickets? To take an educated guess originating from the internal workings of an MSP, this has to be password resets. Adopting a password reset app to give your customers on Windows, Active Directory, Azure AD, and Office 365 the ability to reset their own secure passwords through identify verification directly from their mobile will eliminate those service tickets that lower operational efficiency and decrease your costs.
9/ Ensure you have password auditing and accountability
Customer data is the most valuable asset any business has, and your team has virtually unencumbered access to it all. As a result, you and your customers deserve and need to know who has accessed their systems and when it happened.
Implementing an auditing and reporting tool that simplifies this process and helps you maintain a bird’s-eye view of what’s going on.
10/ Implement privileged customer knowledge management
Combining password management and IT documentation creates one unified solution: privileged customer knowledge management. By simplifying the documentation process and offering standards around documentation through permissions within a single console, your technicians can leverage security and automation to rapidly access customer knowledge.
Benefits of privileged customer knowledge management include:
- Password security, automation, and resets
- Technician access control
- Standardized and centralized IT documentation management
- Seamless integrations for data synchronization
Colin Knox is director of product strategy, SolarWinds Passportal.