Free Trial
Products Products
MSP360 Backup Backup and Recovery
MSP360 Backup Backup and Recovery
Overview
back up DATA FROM
Windows VMware/Hyper-V MacOS Microsoft 365 Linux Google Workspace
BACK UP DATA TO
AWS Google Wasabi Azure B2 Local
MSP360 RMM IT Management MSP360 Connect included
MSP360 RMM IT Management
Overview
MONITOR AND MANAGE
Windows macOS Linux
Prevent cyber threats
Endpoint threat prevention and protection (powered by Deep Instinct)
MSP360 Connect Remote Access
MSP360 Connect Remote Access
Overview
Connect FROM
Windows Android MacOS iOS
Connect TO
Windows MacOS
Pricing
Pricing Pricing
MSPs Internal IT
Solutions Solutions
Business type
Industries
MSP IT Departments Small Busness
Healthcare Education
Business type
MSP IT Departments Small Busness
INDUSTRIES
Healthcare Education
use cases
ENDPOINT PROTECTION
Ransomware Protection Endpoint Threatbr
Prevention and Protection
powered by Deep Instinct
Remote Access
Web-Based Remote Access Remote Support Remote Access Remote Work Remote Collaboration
IT Management
Patch Management Monitoring and Alerting Remote Device Management SNMP Monitoring
Backup and Recovery
Server Backup Backup for Windows Backup to AWS Desktop Backup Backup for MacOS Backup to Wasabi File Backup Backup for Linux Backup to B2 Image-Based Backup Backup for VMware/Hyper-V Backup to Azure SQL Server Backup Backup for Google Workspace (GSuite) Backup to Google Cloud Synology NAS Backup Backup for Microsoft 365 (O365) Back Up Locally Recovery
Not sure if MSP360 is for you?
Request a Call
Resources Resources
MSP University Blog Whitepapers and Assets Videos Webinars Events Customer Stories Forum
Support Support
US-Based Support My Cases Open a Case Knowledge Base Online Help
Partners Partners
technology partners
AWS Wasabi Backblaze Google Cloud Microsoft Azure Deep Instinct
Partners
Resellers Distributors Become a Partner
ALLIANCE PARTNERS
Leet Cyber Security
Company Company
About Legal Information Events Careers Leadership Team Contact Us Trust Center
Blog Articles
Read MSP360’s latest news and expert articles about MSP business and technology
Password Management Best Practices for MSPs

Password Management Best Practices for MSPs

Password Management Best Practices for MSPs

The global cybersecurity landscape is evolving and continues to grow more dangerous by the day. More and more hackers are exploiting the relationship between organizations and their MSPs to compromise IT assets.

Since MSPs have unfettered access to their clients’ IT environments, gaining control of MSP remote management consoles provides attackers with access to privileged credentials. Given this risk, MSPs need to secure credentials and enforce password management best practices to prevent attackers from exploiting their clients.

To help you get started, let’s take a look at some password management best practices for MSPs.

Multi-Factor Authentication (MFA)

While MFA was a “nice-to-have” feature in the past, it has become a “must-have” in the face of today’s sophisticated cyberthreat landscape. If the software you or your clients use comes with multi-factor authentication, never turn it off. Be sure, too, to educate clients on the benefits of MFA and on how they can take advantage of it to ensure secure access to business-critical data and applications.

To get the most out of MFA, consider taking a layered approach to password security by leveraging biometrics, code-generating/hardware tokens, and other criteria (where possible) to ensure that there isn't a single point of failure in your IT ecosystem.

Further reading Two-Factor Authentication: Solutions, Methods, Best Practices

Employ a Password Generator Tool

The best passwords are randomized strings of text containing lower and upper case letters, as well as special and alphanumeric characters.

Since users have to create such random passwords for every account they own, they may have trouble remembering all the passwords — and as such, they end up creating passwords using text they can easily remember. To simplify this process, enterprises should use a password generator tool to create truly random strings based on character type requirements and length.

Use Centralized Access Management for Privileged Credentials

As an MSP, not only do you hold privileged passwords for your organization, but you also have access to those of your clients as well. To reduce the risk of malicious activities on company and clients’ businesses, MSPs need to centralize password management to see who is accessing what credentials and when they accessed them.

A centralized password management solution gives you full control over all credentials and allows you to grant access to admins on a case-by-case basis. No admin should have access to all privileged credentials. Also, a centralized solution helps in tracking and logging the access history of IT admins. Once an IT admin leaves, you can pull the history of all the credentials accessed and change them.

Further reading IAM vs PAM vs PIM: Guide to Access Management

Rotate Passwords

Your password management policy must include rules on how often your IT admins and client employees should change their passwords. Create and enforce policies that govern the rotation of passwords for the following accounts:

  • In-house systems and services
  • Line-of-business applications
  • Cloud services and portals
  • Network appliances
  • Clients’ systems accounts

However, do note that passwords should be changed and not recycled. When changing passwords, ensure that the new password is completely different from every other password ever used with that credential.

In particular, passwords to the accounts outlined above must be changed instantly when a breach is detected. This mitigates the spread of malware and ransomware and prevents hackers from gaining further access to your servers, networks, and databases.

  New call-to-action

In line with cybersecurity best practices, you need to change passwords for privileged credentials with access to sensitive data at least once every 3 months. To reduce the risk of malicious exploits from former staff, you should also change all passwords they may have had access to within six months of their exit.

Educate Clients on Password Best Practices

To remain secure, MSPs need to create and enforce rigid password management policies for client organizations. However, these policies won't be effective if clients are not aware of them. You should, therefore, educate both your techs and client employees on these policies. Inform them of the importance of maintaining password best practices at all times and on all levels — even for accounts that they deem unimportant.

MSP's Educational Posters on Password Security

The poster pack includes:

  • Best practices for creating strong passwords
  • Reminders on how secure passwords should look like
  • A chart to check if your password is secure enough
New call-to-action
Whitepaper icon

Know What Kind of Passwords Not to Use

The widespread use of commonly known passwords has been linked to several data breaches in recent years. The most popular password strings in use include:

  • 000000
  • 123456
  • password
  • 123456789
  • qwerty
  • abc123
  • login
  • admin
  • iloveyou

While this should be obvious, you may be surprised by the number of employees who use these passwords for enterprise accounts.

Wrapping Up

You can mitigate the risk of cybercriminals comprising your clients’ IT systems and data by creating and enforcing strict password management policies. Most data breaches can be prevented if MSPs and clients protect privileged accounts with non-recycled, complex passwords. Following through on the security best practices outlined above can help reduce threats from the password/user credential threatscape.

FREE ASSETS
MSP’s Assets to Stay Safe from Phishing
  • Phishing response checklist
  • Phishing awareness training slides
  • Anti-phishing posters
New call-to-action
Anti-phishing assets