Password management—A quick best practice guide

Effective password management is a necessary evil when managing IT systems. Although users often fail to see the importance of complex passwords, there are several reasons they are essential:

1. Network Security
   Weak passwords give hackers an easy way into the infrastructure. As most modern systems have some level of remote access, this issue cannot be ignored.
2. Accountability
   User authentication helps the IT department see who has done what on company systems. If password security isn’t taken seriously, no one can be sure that users aren’t using each other’s passwords.
3. Internal Confidentiality
   Breaches in confidentiality can result from little more than a password that is common knowledge or a password written on a Post-it note attached to a user’s monitor.

A bad attitude to passwords

If you’ve been in the IT business for any length of time, you’ve inevitably come across clients who don’t really take password security very seriously. Some individuals genuinely believe the risk of security breaches is overstated.

You’ve probably come across all kinds of views on passwords. Some IT consultants even encounter company bosses who insist all passwords (sometimes with the exception of their own) are exactly the same. These bosses are blind to the fact that a security breach is often as likely to be caused by a disgruntled former staff member as someone outside the organization.

If you still have clients who are stubborn about the importance of password restrictions, the most recent list of “bad passwords” should give you some ammunition to help convince them they should take things more seriously.

Here are the most commonly used “bad” passwords in 2018, as compiled by SplashData:

1. 123456
2. password
3. 123456789
4. 12345678
5. 12345
6. 111111
7. 1234567
8. sunshine
9. qwerty
10. iloveyou
11. princess
12. admin
13. welcome
14. 666666
15. abc123
16. football
17. 123123
18. monkey
19. 654321
20. !@#$%^&*

People certainly like those number-based passwords don’t they? While it’s pleasing to finally see the techie’s old favorite of “TrustNoOne” disappear from the top 10, the presence of “password” consistently at number two is rather depressing.

As an IT professional, you’re probably in a position of trust where you know quite a few of your clients’ passwords. Are any of them using any from the top 10 list? Even worse, are you? If so, shame on you! Go change them now.

Setting policies for password management

You need to set and enforce rigid password management policies for your customer’s businesses to remain secure. Most IT systems and servers allow network administrators to set detailed password policies dictating how complex each password should be and how often it must be changed.

When configuring these settings, it’s important to strike an effective balance between IT security and how much complexity users can realistically handle.

Interestingly, the United States National Institute for Standards and Technology (NIST) has just revised its recommendations on passwords, and much of the previous thinking has been thrown out in favor of a more user-friendly approach. So if you’re planning to set a policy, take these into consideration. The NIST password guidelines are important because they are the password policies that are set across the whole of the US public sector. They are often very sensible and provide a great template for all organizations and application-development programs.

Here’s what NIST currently recommends—some of which may surprise you. There’s more than this to it (which you can find here in this presentation from PasswordCon), but this is what’s likely to be most important to MSPs.

• Favor the userThe NIST guidelines say password policies should be user friendly and put the burden on the verifier when possible. A lot of research has gone into the efficacy of many of our “best practices” for passwords, and it turns out they aren’t worth the pain.
• The bigger, the betterThe new guidelines also suggest a minimum of 8 characters, but that you should allow for a maximum of at least 64 characters. Applications must also allow all printable ASCII characters, including spaces, and should accept all UNICODE characters, too, including emojis.
• Forget composition rulesAs a follow on from the above, you should not set forced rules about using particular character combinations. So no more “your password must contain one lowercase letter, one uppercase letter, one number, four symbols, but not etc.” People should be allowed to choose freely, and you should encourage longer phrases.
• No hintsBasically people tend to set password hints that are too obvious, so this is seen as just too risky.
• No more expiration without reasonContrary to what you’ve no doubt been telling customers for years, NIST now states that the only time passwords should be reset is if there is a solid reason. For example, if they have been forgotten, if they have been phished, or if you think (or know) that a password database has been stolen. This will please a lot of users.
• SMS should not be used as part of 2FAWhile two-factor authentication (2FA) is still important, SMS should not be part of the 2FA process. There are many problems with the security of SMS delivery, including malware that can redirect text messages, attacks against the mobile phone network, and SIM swapping.

Some things still hold true, so consider the following when determining a password strategy:

1. Enforce a level of complexity that is sufficient to make passwords hard to crack via software, without annoying users.
2. Insist on a different password for each IT system—i.e., one for logon, one for VPN, one for databases.
3. Avoid the use of shared or commonly known passwords.
4. Educate staff on the importance of password management and the possible implications if the password policy is ignored. Help users realize that an assortment of letters, numbers, and punctuation doesn’t need to be difficult—it can be as simple as a name with a year and a full stop at the end.
5. Work with management to do occasional “sweeps” for human threats to network security, such as passwords on Post-it notes and passwords being shared.
6. Consider occasional “social engineering” tests to see if staff can be fooled into giving up passwords via email or telephone. You can then use the results of these tests to further enforce training on the importance of IT security.

Some additional advice

There are a few other things to take note of when managing the password management process.

Password managers can really help. Having a password manager installed means you can access all the systems you need from one main point. This can help remove the burden of complex passwords—users only need to remember one complex password as opposed to several.

Conditional access is a step up from 2FA/MFA (multifactor authentication). Conditional access models look for abnormal connections, and then put MFA in place when things fall outside the conditions that you’ve set. Microsoft has now implemented conditional access for its SaaS and Azure applications like O365.

Password management doesn’t have to be a chore if you have user buy-in regarding its importance. The way to achieve this is by communicating effectively with staff and striking a good balance between security and convenience. And don’t forget using a password manager—that can really alleviate a lot of the burden on employees.

 

Built for MSPs by MSPs, SolarWinds Passportal + Documentation Manager is an encrypted and efficient password and credential management solution, offering credential injection, reporting, auditing, password change automation and privileged client documentation capabilities—designed to streamline the technicians’ day by providing essential documentation at their fingertips to standardize service delivery and expedite issue resolution.

SolarWinds Passportal can help you manage risk, shorten incident resolution times, meet compliance for credential creation, usage, and storage. To find out more click here.