How to Build Password Policies for Your Customers

Building your customer password policy can be tricky because it needs to balance security and convenience. Too much convenience, and you lose security. Too strict, and no one will use it.  

As a managed service provider (MSP), how do you create password policies that work for everyone? First, let’s look at some key elements that go into creating a comprehensive policy.

1/ Password complexity

There are several aspects you need to think about when looking at password complexity; here are some common factors to consider:

• Character sets—A good rule of thumb is passwords should contain at least three of the four types of characters: upper case, lower case, numbers, and symbols.
• Password length—Passwords should be a minimum of eight characters long but preferably closer to 15. You can use passphrases to make long passwords easier to remember.
• Forbidden words—Passwords should never contain parts of the username/login, name of the service, or personal information, like date of birth or ID numbers. Also, never use the same password across different devices, such as the same password on routers and server access. And the big one for all users: Always create unique passwords; never use the same one as you have for applications like Facebook or LinkedIn, for example.

2/ Password changes

What happens when it’s time to change passwords? You need to carefully consider how often those changes need to be made. Here are some things to think about:

• Password history—Do not reuse old passwords. Do not create “new” passwords by simply changing one character. 
• Forced password resets—Traditional password reset models dictated passwords should be changed at least every 180 days, ideally every 90 days. However, advice and guidance on this is starting to change, as this article from the SANS institute explains. 

Each of the elements above offers something different in creating secure passwords. Complexity creates passwords that are harder to brute force attack or guess. Not using the same password across different logins helps protect all your accounts in the event one is breached. Forced password resets help protect against undiscovered breaches—by changing your passwords periodically, you increase your chances of having a different password when a malicious actor gets around to using one extracted from a breach. Also remember, as a company’s MSP, it is your responsibility to periodically change administrative passwords for devices and services.

The role of two-factor authentication

In addition, users need to utilize two-factor authentication (2FA) everywhere it is available—it is not available everywhere yet, but it is becoming much more prevalent—and most popular online services allow it as an option. It works by combining something you know and something you have (usually your phone) to create a more secure login. At the time of writing, it is probably one of the best available combinations of high security and ease of use.

Communicating your password policy

For MSPs, the most important part of a password policy is how it is communicated to customers. Firstly, it must be written down and readily available for reference when setting up new accounts. Some MSPs even go to the extent of adding their password policy to their contracts, so if the policy is not followed, the work to remediate any issue related to password breaches becomes billable. 

Mitigating human error

Since human behavior and error are responsible for a substantial portion of breaches today—the Ponemon Institute Cost of Data Breach Study 2018 found that 27% of data breaches were caused by human error—it is highly important to educate end users on the importance of secure passwords. You can only enforce policy so much, most of the time you must rely on users making good judgement when creating and maintaining passwords.  

To help this process along, many MSPs hold periodic training for their customers in order to reinforce proper security guidelines and educate on new threats. These training sessions can count as billable time or, for a fully managed plan, can be included as part of their monthly fee. The overall benefits to the MSP are less security issues and a closer relationship, not only with the customer’s main contact, but with their end users as well.

Security is of paramount importance today, and passwords are the gateway to much of the information and services that represent prime targets for malicious activity. Enforcing a solid password policy and educating your customers on proper passwords are two key pieces of the security puzzle—and very often, the hardest to put into place. Using the right balance of security and usability will help you create the right password policy for your customers.

 

Additional reading

• Password Security: Central to GDPR Readiness
• Enterprise Password Management Best Practices
• Forgotten Passwords: The Bane of the Admin's Existence
• Password management - A quick best practice guide

 

Eric Anthony is principal of customer experience at SolarWinds MSP. Before joining SolarWinds, Eric ran his own managed service provider business for over six years.

You can follow Eric on Twitter@EricAnthonyMSP

 

Want more tips on growing your MSP business? Click here to read more of our blogs.

 

The SolarWinds and SolarWinds MSP trademarks, service marks, and logos are the exclusive property of SolarWinds MSP UK Ltd. or its affiliates.  All other trademarks are the property of their respective owners.