Building your customer password policy can be tricky because it needs to balance security and convenience. Too much convenience, and you lose security. Too strict, and no one will use it.
As a managed service provider (MSP), how do you create password policies that work for everyone? First, let’s look at some key elements that go into creating a comprehensive policy.
There are several aspects you need to think about when looking at password complexity; here are some common factors to consider:
What happens when it’s time to change passwords? You need to carefully consider how often those changes need to be made. Here are some things to think about:
Each of the elements above offers something different in creating secure passwords. Complexity creates passwords that are harder to brute force attack or guess. Not using the same password across different logins helps protect all your accounts in the event one is breached. Forced password resets help protect against undiscovered breaches—by changing your passwords periodically, you increase your chances of having a different password when a malicious actor gets around to using one extracted from a breach. Also remember, as a company’s MSP, it is your responsibility to periodically change administrative passwords for devices and services.
In addition, users need to utilize two-factor authentication (2FA) everywhere it is available—it is not available everywhere yet, but it is becoming much more prevalent—and most popular online services allow it as an option. It works by combining something you know and something you have (usually your phone) to create a more secure login. At the time of writing, it is probably one of the best available combinations of high security and ease of use.
For MSPs, the most important part of a password policy is how it is communicated to customers. Firstly, it must be written down and readily available for reference when setting up new accounts. Some MSPs even go to the extent of adding their password policy to their contracts, so if the policy is not followed, the work to remediate any issue related to password breaches becomes billable.
Since human behavior and error are responsible for a substantial portion of breaches today—the Ponemon Institute Cost of Data Breach Study 2018 found that 27% of data breaches were caused by human error—it is highly important to educate end users on the importance of secure passwords. You can only enforce policy so much, most of the time you must rely on users making good judgement when creating and maintaining passwords.
To help this process along, many MSPs hold periodic training for their customers in order to reinforce proper security guidelines and educate on new threats. These training sessions can count as billable time or, for a fully managed plan, can be included as part of their monthly fee. The overall benefits to the MSP are less security issues and a closer relationship, not only with the customer’s main contact, but with their end users as well.
Security is of paramount importance today, and passwords are the gateway to much of the information and services that represent prime targets for malicious activity. Enforcing a solid password policy and educating your customers on proper passwords are two key pieces of the security puzzle—and very often, the hardest to put into place. Using the right balance of security and usability will help you create the right password policy for your customers.
Eric Anthony is principal of customer experience at SolarWinds MSP. Before joining SolarWinds, Eric ran his own managed service provider business for over six years.
You can follow Eric on Twitter at @EricAnthonyMSP
Want more tips on growing your MSP business? Click here to read more of our blogs.
The SolarWinds and SolarWinds MSP trademarks, service marks, and logos are the exclusive property of SolarWinds MSP UK Ltd. or its affiliates. All other trademarks are the property of their respective owners.