Effective password management is a necessary evil when managing IT systems. Although users often fail to see the importance of complex passwords, there are several reasons they are essential:
If you’ve been in the IT business for any length of time, you’ve inevitably come across clients who don’t really take password security very seriously. Some individuals genuinely believe the risk of security breaches is overstated.
You’ve probably come across all kinds of views on passwords. Some IT consultants even encounter company bosses who insist all passwords (sometimes with the exception of their own) are exactly the same. These bosses are blind to the fact that a security breach is often as likely to be caused by a disgruntled former staff member as someone outside the organization.
If you still have clients who are stubborn about the importance of password restrictions, the most recent list of “bad passwords” should give you some ammunition to help convince them they should take things more seriously.
Here are the most commonly used “bad” passwords in 2018, as compiled by SplashData:
People certainly like those number-based passwords don’t they? While it’s pleasing to finally see the techie’s old favorite of “TrustNoOne” disappear from the top 10, the presence of “password” consistently at number two is rather depressing.
As an IT professional, you’re probably in a position of trust where you know quite a few of your clients’ passwords. Are any of them using any from the top 10 list? Even worse, are you? If so, shame on you! Go change them now.
You need to set and enforce rigid password management policies for your customer’s businesses to remain secure. Most IT systems and servers allow network administrators to set detailed password policies dictating how complex each password should be and how often it must be changed.
When configuring these settings, it’s important to strike an effective balance between IT security and how much complexity users can realistically handle.
Interestingly, the United States National Institute for Standards and Technology (NIST) has just revised its recommendations on passwords, and much of the previous thinking has been thrown out in favor of a more user-friendly approach. So if you’re planning to set a policy, take these into consideration. The NIST password guidelines are important because they are the password policies that are set across the whole of the US public sector. They are often very sensible and provide a great template for all organizations and application-development programs.
Here’s what NIST currently recommends—some of which may surprise you. There’s more than this to it (which you can find here in this presentation from PasswordCon), but this is what’s likely to be most important to MSPs.
The NIST guidelines say password policies should be user friendly and put the burden on the verifier when possible. A lot of research has gone into the efficacy of many of our “best practices” for passwords, and it turns out they aren’t worth the pain.
The new guidelines also suggest a minimum of 8 characters, but that you should allow for a maximum of at least 64 characters. Applications must also allow all printable ASCII characters, including spaces, and should accept all UNICODE characters, too, including emojis.
As a follow on from the above, you should not set forced rules about using particular character combinations. So no more “your password must contain one lowercase letter, one uppercase letter, one number, four symbols, but not etc.” People should be allowed to choose freely, and you should encourage longer phrases.
Basically people tend to set password hints that are too obvious, so this is seen as just too risky.
Contrary to what you’ve no doubt been telling customers for years, NIST now states that the only time passwords should be reset is if there is a solid reason. For example, if they have been forgotten, if they have been phished, or if you think (or know) that a password database has been stolen. This will please a lot of users.
While two-factor authentication (2FA) is still important, SMS should not be part of the 2FA process. There are many problems with the security of SMS delivery, including malware that can redirect text messages, attacks against the mobile phone network, and SIM swapping.
Some things still hold true, so consider the following when determining a password strategy:
There are a few other things to take note of when managing the password management process.
Password managers can really help. Having a password manager installed means you can access all the systems you need from one main point. This can help remove the burden of complex passwords—users only need to remember one complex password as opposed to several.
Conditional access is a step up from 2FA/MFA (multifactor authentication). Conditional access models look for abnormal connections, and then put MFA in place when things fall outside the conditions that you’ve set. Microsoft has now implemented conditional access for its SaaS and Azure applications like O365.
Password management doesn’t have to be a chore if you have user buy-in regarding its importance. The way to achieve this is by communicating effectively with staff and striking a good balance between security and convenience. And don’t forget using a password manager—that can really alleviate a lot of the burden on employees.