Password security – Considerations for MSPs

Ben Taylor

Despite the existence of smart cards, biometric fingerprint readers and iris scanners, authentication to the IT systems typically managed by MSPs is still handled in the same, old-fashioned way: passwords.

Password-SecurityThink, for a moment, of just one typical SME client, and how many passwords may be involved in their network infrastructure. Let’s start with server and domain admin passwords, passwords for various software management consoles, login details for a host of Web portals, router logins and BIOS passwords.

All of those, and we haven’t even got onto user passwords, which can include network logins, database passwords and even the four-digit pins needed to unlock smartphones.

How honestly can you say that you have all of these passwords under control for your entire client base?

Client Password Security

Computer users often seem to object to standard best practice when it comes to password security. Although everyone knows that passwords should be complex, frequently changed and not written on Post-It notes on user’s keyboards, many people refuse to comply with guidance.

Most MSPs will have come across plenty of CEOs who insist that everyone has the same passwords and staff who persist in writing theirs on a notepad. Sadly, this doesn’t mean that these people won’t still blame you in the event of a security breach.

While enforcing client password security may seem like a constant losing battle, ensuring you always follow these guidelines should help:

  1. Follow standard best-practice recommendations for password complexity and validity such as mixed numbers, letters and punctuation and passwords with frequently enforced changes.
  2. Where clients insist on ignoring best practice, ensure that their decision and your objection is documented.
  3. Educate users as to the importance of password security and encourage them to imagine the possible consequences of a lapse in security.
  4. Ensure a solid procedure is in place to change passwords and deactivate accounts when users leave.
  5. Ensure clients keep their own log of system and admin passwords, even if they have no call to use them themselves – this can be kept in a secure file or safe and may be needed if you are ever indisposed.

Internal Password Security

Unfortunately, password concerns for MSPs don’t end with user passwords. MSPs also have to think about the myriad of system passwords across their whole client base.

These guidelines should help in the management of this large collection of passwords:

  1. Avoid the temptation to use the same admin passwords across multiple clients.
  2. Ensure all key passwords are changed if a staff member leaves.
  3. Comply with the same complexity and validity guidelines that you enforce on users.
  4. Consider the use of a managed password vault or portal.
  5. Limit the knowledge of passwords across your workforce on an “as needed” basis.

Passwords are often the last line of defense in IT security. Clients won’t hesitate to point the finger if a security breach occurs. It is therefore essential that you do everything possible to enforce password security and ensure every member of your team takes it seriously.

Do you have any additional guidelines you use when considering password security? Share them with us in a comment below!