kras99 - stock.adobe.com
Passwords. They seem to be every user's worst nightmare.
To keep track of them, users will write their passwords in notebooks or on sticky notes. Worst yet, users will keep their passwords in plain text files -- usually named something clever like "passwords.docx" or "passwords.txt" -- on their local computer or the network. And many users have given up on trying to randomize their passwords. Instead, they use the same password (or a variant) for every site or system that requires a login.
A year ago, I worked with a customer's employee who revealed their network password was "Password1," which was written in a document on their computer. "Password1" met the criteria for a valid password, so nothing prevented the employee from using it. When I pointed this out to the company's CIO, he was shocked. The fact that such a simple password could be used to access the network convinced the CIO that the organization needed password management tools and user education. I persuaded the company to implement a strong password policy and two-factor authentication.
Users with poor password hygiene practices make an MSP's job harder. If a customer's employees lack education on proper password management, the results can be disastrous.
Here are five tips to protect customers' passwords.
Scan the network for password files
As a first step for mitigating password risks, MSPs can scan a customer's network and endpoints for various types of password depositories. Look for documents, text files or spreadsheets that contain the word "password."
If the scan turns up any files, take the issue to the customer's management. Explain what would happen if the user's files leaked or if a phishing attack compromised the user's account.
Update password policies
Customers' password policies should require employees to use long and complex passwords. Teach them how to use passphrases with characters that replace letters, such as the "@" symbol for the letter "a" or the number 3 for the letter "e."
Employees should change their passwords at least once every three months. Additionally, employees should be prohibited from recycling passwords. If an employee uses an old password, there is a chance that password already exists on the dark web where hackers can exploit it.
While multifactor authentication (MFA) may frustrate users, it is critical for the safety of the network. A few additional seconds to authenticate a login is worth the trouble.
Deploy password management tools
MSP should convince customers to use password management and single sign-on tools such as Okta or a comparable product. The market offers an array of options that can be tailored to an organization's needs.
These tools provide password randomization, single sign-on for many sites and MFA. If trained properly on a password management platform, users will never again need to write down or come up with passwords.
Password management tools can also benefit organizations by making it easier to set up and manage shared user accounts. Many times, a marketing department will need to share credentials for social media accounts within or across departments. Password management tools will assign the applications and passwords to specific individuals or departments. As a result, users won't need to share the passwords via email or a password document. The passwords are centralized, secured and hidden from users.
Provide user training
Every organization needs user training on how to properly store and handle personally identifiable information. Additionally, users should learn about phishing attacks. Many of the available training programs do an excellent job educating users about the dark web, compromised accounts and detection of phishing attempts.
Security training and education are valuable tools that can help users understand the consequences of improper password management. Since users are the weakest link in a security program, the more educated they are, the better protected the network will be.
About the Author
Amy Jones is president of Quad M Tech, an IT consulting and services firm based in Manassas, Va. Jones is also a member of The ASCII Group, a North American IT community of more than 1,300 MSPs, solution providers and system integrators.