{"id":4958,"date":"2019-05-19T22:51:10","date_gmt":"2019-05-19T21:51:10","guid":{"rendered":"https:\/\/www.n-able.com\/?p=4958"},"modified":"2021-05-31T12:50:00","modified_gmt":"2021-05-31T11:50:00","slug":"password-management","status":"publish","type":"post","link":"https:\/\/www.n-able.com\/es\/blog\/password-management","title":{"rendered":"Password management\u2014A quick best practice guide"},"content":{"rendered":"

Effective password management is a necessary evil when managing IT systems. Although users often fail to see the importance of complex passwords, there are several reasons they are essential:<\/p>\n

    \n
  1. Network Security<\/strong><\/a>
    \nWeak passwords give hackers an easy way into the infrastructure. As most modern systems have some level of remote access, this issue cannot be ignored.<\/li>\n
  2. Accountability<\/strong>
    \nUser authentication helps the IT department see who has done what on company systems. If password security isn\u2019t taken seriously, no one can be sure that users aren\u2019t using each other\u2019s passwords.<\/li>\n
  3. Internal Confidentiality<\/strong>
    \nBreaches in confidentiality can result from little more than a password that is common knowledge or a password written on a Post-it note attached to a user\u2019s monitor.<\/li>\n<\/ol>\n

    A bad attitude to passwords<\/strong><\/h3>\n

    If you\u2019ve been in the IT business for any length of time, you\u2019ve inevitably come across clients who don\u2019t really take password security very seriously. Some individuals genuinely believe the risk of security breaches is overstated.<\/p>\n

    You\u2019ve probably come across all kinds of views on passwords. Some IT consultants even encounter company bosses who insist all passwords (sometimes with the exception of their own) are exactly the same. These bosses are blind to the fact that a security breach is often as likely to be caused by a disgruntled former staff member as someone outside the organization.<\/p>\n

    If you still have clients who are stubborn about the importance of password restrictions, the most recent list of \u201cbad passwords\u201d should give you some ammunition to help convince them they should take things more seriously.<\/p>\n

    Here are the\u00a0most commonly used \u201cbad\u201d passwords in 2018<\/a>, as compiled by\u00a0SplashData:<\/p>\n

      \n
    1. 123456<\/li>\n
    2. password<\/li>\n
    3. 123456789<\/li>\n
    4. 12345678<\/li>\n
    5. 12345<\/li>\n
    6. 111111<\/li>\n
    7. 1234567<\/li>\n
    8. sunshine<\/li>\n
    9. qwerty<\/li>\n
    10. iloveyou<\/li>\n
    11. princess<\/li>\n
    12. admin<\/li>\n
    13. welcome<\/li>\n
    14. 666666<\/li>\n
    15. abc123<\/li>\n
    16. football<\/li>\n
    17. 123123<\/li>\n
    18. monkey<\/li>\n
    19. 654321<\/li>\n
    20. !@#$%^&amp;*<\/li>\n<\/ol>\n

      People certainly like those number-based passwords don\u2019t they? While it\u2019s pleasing to finally see the techie\u2019s old favorite of \u201cTrustNoOne\u201d disappear from the top 10, the presence of \u201cpassword\u201d consistently at number two is rather depressing.<\/p>\n

      As an IT professional, you\u2019re probably in a position of trust where you know quite a few of your clients\u2019 passwords. Are any of them using any from the top 10 list? Even worse, are you? If so, shame on you! Go change them now.<\/p>\n

      Setting policies for password management<\/h3>\n

      You need to set and enforce rigid password management policies for your customer\u2019s businesses to remain secure<\/a>. Most IT systems and servers allow network administrators to set detailed password policies dictating how complex each password should be and how often it must be changed.<\/p>\n

      When configuring these settings, it\u2019s important to strike an effective balance between IT security and how much complexity users can realistically handle.<\/p>\n

      Interestingly, the United States National Institute for Standards and Technology (NIST) has just revised its recommendations on passwords, and much of the previous thinking has been thrown out in favor of a more user-friendly approach. So if you\u2019re planning to set a policy, take these into consideration. The NIST password guidelines are important because they are the password policies that are set across the whole of the US public sector. They are often very sensible and provide a great template for all organizations and application-development programs.<\/p>\n

      Here\u2019s what NIST currently recommends\u2014some of which may surprise you. There\u2019s more than this to it (which you can find\u00a0here<\/a>\u00a0in this presentation from PasswordCon), but this is what\u2019s likely to be most important to MSPs.<\/p>\n