There’s a lot of flash around some topics in security. Whether it’s the ever-present, evolving threat of ransomware or a new threat du jour, it’s definitely important to stay on top of these developments. But it’s also easy to get distracted from the fact that a good portion of cyberattacks often come from small holes in a security posture.
One of the biggest threats we face as an industry, particularly during an era of remote working, is the use of weak or reused passwords. Today, we’ll talk about some developments around passwords and remind you of strong practices to keep your passwords safe.
The latest on passwords
Passwords really weren’t created to do the type of heavy lifting we require of them now. When username/password combinations were first developed, a user only needed a few passwords to get by. They could connect to their computer or a mainframe without much trouble. Currently, however, people have a multitude of services requiring authentication credentials, making it hard to keep track of all the passwords.
This puts a very heavy burden on users to come up with strong passwords for each account and, more importantly, remember them. This leads people to reuse passwords across accounts. While this may seem obvious, the extent of the practice can put a finer point on it—SpyCloud found roughly 76% of Fortune 1000 employees used the same password from their corporate email on other accounts. This stat isn’t meant to pick on those companies—rather, the point shows that even large companies that can afford strong security postures still have widespread password problems. That means anyone can, including your customers or even your own employees.
But how prevalent are these attacks? The 2020 Verizon Data Breach Investigation Report stated that of hacking-related breaches, more than 80% involved either brute-force password attacks or stolen user credentials. Of course, there are other kinds of attacks—from malware to social engineering—but this demonstrates that passwords play a central role in anyone’s security posture.
The rules of the road
So, we know how important password security is for an organization’s security posture. What do you do about it?
1. BE THE BROKEN RECORD
User awareness training plays a role in keeping users from using weak passwords. Yet, when it comes to both information retention and behavioral change, one-off yearly security trainings won’t do the trick. Make sure to hold trainings on a fairly regular basis, and send out refreshers and reminders via email. (Hint: This can also be an excellent way of keeping your brand fresh in your customers’ minds). Don’t be afraid to repeat yourself—repetition is important to truly get people in the habit of using strong passwords.
2. SET GROUND RULES FOR PASSWORD STRENGTH
You probably already know the importance of these factors, but you’ll need to keep reiterating these to your customers (and your own employees). First, make sure passwords are of sufficient length (longer is generally better), and use a mixture of uppercase letters, lowercase letters, symbols, and numbers. Also, avoid using numbers at the end of a password—this is a fairly common pattern, and criminals pick up on it. Numbers and symbols should go earlier in the password, if possible. Also, it’s worth suggesting people use a passphrase they can remember rather than a single password. This can help users meet length requirements to make the passwords hard to guess, while still making them easy to remember.
3. SET PASSWORD REFRESH POLICIES
Additionally, try to implement a rule requiring users to change their passwords on a regular basis. This allows you to update your password rules and make sure users follow the latest guidelines, but also limits the damage if criminals steal some passwords. Also, remind customers not to reuse passwords across important accounts—if their credentials end up in a data breach, this could compromise other important systems.
4. CHANGE DEFAULT PASSWORDS
Another important thing to remember—change default passwords on important services. This applies to every service, but it’s especially important on tools built to facilitate remote working, like remote support tools or VPNs. It’s not uncommon for people to use a default password when setting things up, then forget to change the password later. Also, remind your customers to do the same when working on home networks. They should reset default passwords on home devices, especially their Wi-Fi, and make sure they’ve done so on administrator pages for any smart device.
5. AUTOMATE AS MUCH AS POSSIBLE
The biggest challenge with passwords is that they’re simply a pain in the neck to manage. Many people will naturally choose convenience over security, so it’s important to try to make life easier on them. That’s why it’s so important to use a good password management solution. Users can sign in once with their master password, then sign into their myriad accounts with an automatically generated password in a single click. No need for endless creativity to come up with new passwords, and no need for a photographic memory to remember them. Plus, with a password management tool like SolarWinds® Passportal, you can set password requirements for end users, automate password refreshes as needed, and grant or revoke access to accounts as needed.
An easy fix for a hard problem
The username/password authentication model wasn’t really developed to handle the modern IT environment. With an explosion of cloud services, users can quickly get overwhelmed and opt for shortcuts around password security. If you follow these tips, you should be able to help keep your security posture strong.
A stolen password for a customer’s employee can become a major problem; a stolen password for a member of your own MSP team is pretty much guaranteed to be one. If criminals gain access to even one team member’s passwords, they can potentially compromise multiple customers and put your business in serious jeopardy. SolarWinds Passportal, a password management solution designed for MSPs, can help. It allows your team to automatically generate passwords and allows you to easily grant and revoke access as needed. Plus, you can offer password-management-as-a-service to your customers via Passportal Site, allowing you to prevent password breaches for them while also earning additional monthly recurring revenue without adding a new labor-intensive service. Learn more today about both solutions by visiting passportalmsp.com.