Today, we celebrate World Password Day. It’s a perfect time to reflect on the best practices for password security and to take stock of the current state of user credentials across your team and your user base. And with recent events necessitating a shift toward remote working and increasing reliance on cloud services, it’s more important than ever to take a strategic stance toward password management.
For World Password Day, we want to give you a few pointers on the state of password security, as well as some tips to lock down your user accounts.
In previous decades, you only had a few passwords to remember. You might have a few passwords at work, your bank PIN, and maybe the login for your home computer. Now, users have passwords to a significant number of cloud services, applications, and systems. Any one of them could be a weak link leading to a security issue.
Unfortunately, passwords have become much more complex to manage. And the problem is further exacerbated by an increasingly remote work force. Just consider the following:
- Number of devices: In the workplace, the number of devices on the network have proliferated—including smartphones, tablets, and other smart devices. As more people work from home, this number increases. Each household can easily have 20 or 30 devices (or more) on it, each representing an access point. This includes webcams, smart TVs, smart thermostats, and smart speakers. Each requires some level of authentication.
- Apps and sites: Each smart device typically has both web portals and mobile applications. In addition, most mobile devices have several applications, the majority of which require logins. Each app can also have differing levels of permissions—if someone compromises one app’s credentials, they could theoretically get data from other apps. Then, you have to consider the cloud services you use on a daily basis—from social networks to video streaming to business applications—which each need separate credentials.
- Permissions: Beyond mobile apps, many cloud applications gain access to other services. For example, many services allow you to sign up using credentials for other sites like Google, Facebook, or Twitter. For example, if someone compromises your Facebook password, they can gain access to each of the applications connected to your Facebook account.
In short, there’s simply a lot of complexity in password management. This can often make passwords the weak link for an organization.
Reducing your password risk
With all this complexity, how can you possibly enforce password best practices? It’s nearly impossible to ask people to create unique, strong passwords for every service and device while also asking them to change them frequently. So, what can you do?
- Tier your passwords: This strategy requires some vigilance, but it can help with management. One of the most effective ways for criminals to compromise important systems is credential stuffing—if they have a list of usernames and passwords from one service that was breached, they can often break into other accounts because people often reuse passwords. Instead, try to focus your password security on the most important services. For example, your technicians should use unique passwords on work-related services containing critical data, even if their personal Netflix account might use the same password as their Hulu account.
- Check for breaches: Another important point is to follow the security news to see if a major service you use suffered a breach. You can check major security news sites to see if you’re in danger or you can set up news alerts on the service. Regardless, once you’ve discovered a potential breach, it’s time to change the password to be on the safe side. Additionally, you may want to use breach search engines to see if your credentials have been exposed in previous data breaches. If they have, you’ll probably be surprised to find services you haven’t used in years on the list.
- Turn on two-factor authentication: For important accounts, using two-factor authentication (2FA) can also help protect accounts. Make sure to turn it on where possible. For added security, consider using an authenticator application on your phone or a physical 2FA product like a USB.
- Use a password manager: Honestly, one of the easiest, most efficient ways of improving password security is to automate most of it. A good password manager can help you generate strong passwords for all services (both high- and low-risk), reduce the number of passwords you have to remember, and automate password refreshes. With a good password manager, you can make password security something you just do without thinking.
Password security in today’s environment
Password security has grown increasingly complex over the years. And with customers working remotely more often, the complexity will grow even greater. Dealing with this requires a strategic approach to credential and password management. Follow the tips above and you should greatly reduce your risk.
Over the past year or so, MSPs have increasingly drawn the crosshairs of cybercriminals. As a result, keeping your own password security is extremely important. SolarWinds® Passportal offers password management built for the unique challenges of MSP teams. You can automatically generate strong passwords, force password refreshes, gain one-click access to services, and grant and revoke access to accounts as needed. Learn more by visiting passportalmsp.com today.