The majority of users, whether new employees or CEOs, don’t realize that even if their password meets complexity requirements, it doesn’t mean it’s secure. In fact, many common password policies are overdue for an update, as for several years now cybercriminals have been taking advantage of these password policy weaknesses.
These issues are compounded by password reuse—a very common user habit—and the illegal distribution of compromised credentials on the dark web. Addressing the security of passwords is a pressing issue for organizations of all sizes. So, what can MSPs and MSSPs do to help their customers?
1. Use a Password Auditing Tool
If you don’t know where to start, no problem: begin by collecting some data about the current state of affairs. Auditing the passwords used in your customers’ network can be an excellent starting place when trying to get hold of just how big the issue is, and where common problems might be found.
Consider using a password auditing tool, like Enzoic for AD Lite. This tool scans the Active Directory environment and identifies common and weak passwords, breached and exposed passwords, and passwords that have been re-used.
2. Scan the Network for Password Files
As another way to gauge the extent of a customer’s internal security issue, MSPs can scan a network in search of places where users might be “hiding” their passwords. By looking for documents or files that contain the word ‘password,’ or ‘credentials,’ you might be surprised how much you come up with.
If users store plain text files filled with network passwords within the system, it’s like handing a criminal the entire set of keys to a building right as they climb in a window.
3. Require MFA
Multifactor Authentication (MFA) is a way of layering independent methods of confirming a user’s identity. Authentication layers are drawn from three categories: something you know (like a password or passphrase), something you have (like a one-time code sent to your phone), and something you are (like a retina or fingerprint scan).
Unfortunately, voluntary adoption of MFA is very low, as users dislike to delay their login process any more than necessary, even if they know it increases their account security. Requiring MFA, despite the possibility of user frustration, can be the most effective way to ensure the layers are being used properly by everyone.
The key to MFA, however, is keeping each layer strong. Even when introducing an additional authentication factor, the first layer—often the password layer—should not be neglected. Think of doors that have a simple lock as well as a deadbolt; they work best in tandem. If someone finds the key to one of them, it’s still difficult to break in because of the other. In the same vein, even if you’re also using fingerprint scans, don’t let up on your password policies. Passwords are invariably maintained as a fallback authentication method, so they must be kept secure.
4. Require password management tools
Depending on what the network audit shows, requiring users to engage with a password management tool could be an excellent step towards defensive security. Many management tools can provide random, complex passwords, that automatically load when prompted. Some tools also have SSO and MFA built-in, so shop around.
Proper use of a password management system can mean that users are no longer tempted to write down their passwords on sticky notes or in a “secret” document or share them with coworkers.
5. Create Strong, Modern Password Policies
When clients are ready to update their password policies, remember that guidelines from NIST can be an excellent resource. Depending on the client you’re working with, full compliance may or may not be desired, but regardless, NIST recommendations can serve as a reference point. The research and data that NIST guidelines are based on providing a comprehensive explanation of why modern strategies on password safety are needed.
Many authentication strategies boil down to being password-based in some way, whether the primary authentication method or a backup. When creating password policies, consider the following recommendations:
- Allowing users to use all characters in their passwords
- Decreasing the arbitrary complexity rules (e.g., not requiring special characters)
- Getting rid of the periodic password reset
- Increasing the character allowance so that long passphrases are accepted
- Screen passwords against a blacklist
It’s worth mentioning that this last recommendation, screening against a blacklist, is one of the most cost-effective solutions an organization could pursue. Comparing in-use and newly created passwords against a list of already-breached passwords can mean that users are kept safe on an ongoing basis, which also means the organization is protected—without putting tons of pressure on the users themselves.
6. Provide User Training
When new rules and changes are implemented, it’s easy for employees to be frustrated, especially if they don’t understand why they’re being asked to change their habits. However, with training and education, users can also become more astute when spotting phishing emails or suspicious account activity. User training can help everyone.
MSPs and MSSPs have a critical role in helping clients with the important topics of poor user habits, weak passwords, and necessary changes. By emphasizing the importance of securing the password layer and offering solutions, MSPs will not only be on their way to excellent customer relations, but they’ll also be lynchpins in the process of increased cybersecurity cross-industry.