operations security processes technology stack communication Technology service desk cybersecurity data protection
Image Above: MSP Technicians working in the Help Desk and Network Operations Center (NOC) at Collabrance in Cedar Rapids, Iowa.
The Importance of Implementing Strong Passwords
Weak passwords are still a very big issue.
I recently purchased a home. I was excited to have a nice sized space for my family. We crossed the T’s and dotted our I’s and the place was ours! When we received the keys, I asked the realtor for the garage code. She looked at her file and said the code was “1234.” “Gee I hope that isn’t someone’s first guess,” I said sarcastically, the realtor and mortgage banker chuckled a bit. This interaction got me thinking of all the times, as a Managed Security Service Provider (MSSP) technician, customers have asked me if we can reset their password to “password” or “123456” or just nothing at all. I thought about my comment in the bank office and how it was painfully true.
Cybercriminals, disgruntled employees, and even angry spouses always try those common passwords first.
Why? Because many people still have their passwords set to those low security, easy to remember options. Today, I read somewhere that the average person has 20+ online accounts. With this many accounts to keep track of, it’s easy to be tempted to set your passwords to something easy to remember or easy to type. However, this practice can cause big security problems! Not only do cybercriminals try those passwords, but their programs will try them too. Cybercriminals often use password cracking tools that can run through thousands of different combinations within minutes. If a user's credentials are easy to guess, it wont take long for it to be cracked.
Why users should use different passwords for different accounts.
In my experience working on an IT help desk, many users tend to have the same (or very similar) credentials for multiple applications. What if a user is using the same password for social media and their active directory account? What if that user is one of the hundreds of millions who had their Facebook password breached? If a cybercriminal now has your user’s Facebook credentials, they may now have the keys to confidential files, VPN, maybe even the server.The whole business can be compromised because one person decided to take the easy route and use the same password.
Strong password policies are the new norm.
These days, most services require a strong password. Even simple things like fast food mobile applications have password policies. Shouldn’t your MSP at least require similar password standards? How important is the safety of your user’s organization to your MSP.
Small to medium sized businesses are a top target for cybercriminals.
One reason for this is they often do not have the stronger cybersecurity policies that large corporations tend to have. However, even the large organizations still have vulnerabilities. Ransomware runs rampant. Cybercriminals are attacking personal accounts, non-profits, small business, corporations and even cities.
What can MSPs do to help protect their users?
As a MSP/Help Desk team, there are some simple precautions you can take to ensure users have a strong passwords. One of the first things you should do is require users to have complexity in their passwords and update them often. This would mean if a user is allowed to change their own domain password, it will not accept the new password if it doesn’t meet the complexity requirements.
- At least 1 uppercase letter
- At least 1 lowercase letter
- At least 1 number
- At least 1 symbol
- No common names or words associated to your username or email address
- No repeating numbers or symbols
- At least 9 characters
- Cannot contain words or phrases from previous password
- Randomizing Passwords: Many users tend to have a “root word” then select the same letters, numbers and symbols to follow it. Hackers know this. If they can find the common root word or the common follower, it’s only a matter of time before they figure out your new password. When you randomize your password, it’s much harder to figure out.
- Example: Is this case, the root word is “Password” and the common follower is “123!” If a user was asked to update their password, it is likely they would choose something like “Password 321!” or “Admin123!”.
- Suggestion: RANDOMIZE! What if the new password was P@s$W0rd52? This password is much more complex, yet it is still fairly easy to remember. (We do not recommend using the word “password”.)
- Example: Is this case, the root word is “Password” and the common follower is “123!” If a user was asked to update their password, it is likely they would choose something like “Password 321!” or “Admin123!”.
- Phrases: Many users are turning to passphrases now. This technique helps them remember their credentials. It also helps with exceeding the security requirements.
- Example: Th3ManOnTheM00n!
- This is a fairly simple phrase to remember. However, it has 17 characters with randomization.
- Example: Th3ManOnTheM00n!
- Single Sign-On (SSO) or Password Keepers: There are many options available when it comes to password management. Solutions like OKTA or even something like a password keeper can help users remember passwords and stay better secured. In the case of OKTA, an MSP is still able to require a user to update their passwords regularly. However, the program will remember it for them.
- Multi-Factor Authentication (2FA): 2-Factor Authentication, Multi-Factor Authentication or 2FA (However you prefer it) is a great way to add another layer of cybersecurity during sign in. Not only does the user submit their password, but then they will receive a code on their mobile phone to verify their identity. Many applications are already moving to this security protocol.
Communicate the "Why" to your end users.
These password policies may appear to be extra work or be perceived as an inconvenience. However, strong password policies are a small inconvenience worth enduring since it can help save a user and their company from major cybersecurity issues in the future. Providing security awareness trainings and having conversations with your customers explaining to them the “why” behind these password policies will go a long way in enforcing the use of stronger passwords, as well as empowering your customers to know they are doing their part to help protect their company and themselves.
Cybersecurity you and your customers need and can trust.
Customers are relying on their MSP to help manage cybersecurity risks for them. If your MSP is looking to expand your managed security offering, take a look at how our MSSP Offering can help you and your customers.
