By Florin R. Ferrs (Tech Writer)
Nothing keeps IT managers and MSPs more awake at night than the knowledge that their customers’ (or God forbid their own) C-Suite thinks that the best password storage solution for their business is a shared Google sheets document.
Another dark thought haunting IT managers is the prevalence of weak passwords among their customers (or even worse) their own team.
Even more worrying still is the thought that some users on your team or network use the same password everywhere. This is much worse when said same password includes your company name, like the password at the center of the infamous SolarWind hack.
SolarWind Password Hack
The SolarWind hack was a cybersecurity breach that famously (or infamously) enabled foreign hackers (who many believe were from Russia) to spy on private US companies and on the upper echelons of the US Government, including the Department of Homeland Security and the Treasury Department. The fact that the hack went undetected for many months only adds insult to injury.
According to SolarWind’s CEO, the original security breach that enabled the hack began (innocently enough) when a SolarWinds “intern” set the password “solarwinds123” on their update server no less and then posted it on his GitHub for any friendly hacker to find (as they did).
The fact that a major IT company in this day and age still allows their staff to create passwords like solarwinds123 is baffling, to say the least. The fact that this password ended up being used to access their update server, and then stored in GitHub is a lapse of almost criminal proportions. It’s like leaving nuclear launch codes in a shared forum for hackers. In two words: No Bueno.
So what should smart IT Managers and MSPs do in order to prevent this? And don’t think for a minute that your company isn’t vulnerable to this. Blindspots happen and they happen more often as your business grows. SolarWinds was advised of this vulnerability as far back as 2019 and experts estimate that their servers were using that infamous solarwind123 password since at least 2017. The fact that the SolarWinds CEO blamed the whole thing on an “intern” instead of taking full responsibility for lacking a cohesive and preventive password management philosophy just added salt to the wound.
You Need a Password Manager + A Password Strategy
Everybody needs a password manager. Whether you’re in tech or not, password managers have become a necessity due to the simple fact that almost every website you visit and use on a daily basis insists you create a user account with a password.
This makes the temptation of creating a single password for all the “unimportant” sites you visit too big. But don’t fall for that urge to create a single password because hackers can hack that “unimportant” site and extract enough personal information that can then be used to get into your more important sites, like your bank account, or in SolarWind’s case, their update server, which then enabled hackers to install malware in thousands of US government servers.
Why Do You Need A Password Storage Strategy?
Julius Caesar famously said that a wall was only as strong as the people defending it. As IT Managers and MSPs know, a big part of their job is to stay one step ahead of the baddies in their permanent cold war against hackers. Yes, password management software is a crucial tool in the IT Manager’s arsenal, but Password Management software alone is not going to prevent an “intern”, or even worse, a customer, from saving your important server passwords in GitHub, or stop them from using the same password for everything or even stopping them from creating the classic “YourCompany123” that can only lead to hurt.
IT Managers and MSPs have to have a password management strategy in place and they also have to have an education strategy to educate all their customers, team members, and C-Suite staff on what your company’s password management policy is, and how to use the tools provided to safely manage passwords.
PASSWORD MANAGEMENT SOFTWARE
There are a lot of password management software tools out there. As we mentioned before, selecting a good password manager is only half the battle, but it’s a crucial part that can’t be ignored. Below are five of the most popular password management tools preferred by IT Managers and MSPs today.
One of the most popular amongst IT pros, IT Glue features powerful documentation management features to store all your passwords and other important documents that your team needs on a regular basis.
RoboForm started as a tool designed to automate filling out personal data, but it soon adopted password management. IT Managers like it because they can store passwords as well as aid in form filling online.
Dashlane offers great UI/UX and makes smart password management a breeze, with many security-focused extras. A new favorite amongst the IT crowd.
LastPass has been a long-time favorite of IT Managers and MSP due to the strength of their free tier which includes all of the standard password manager capabilities, plus a few features that other services restrict to paid accounts.
1Password does what it promises, to enable users to sync passwords to access all their sites, across browsers and devices. It offers great bang for the buck on its paid version (and a generous 30-day free trial).
Password Management Safety Checklist
As we said before, your password management tools are only as good as your general password management strategy. Your first focus should be education: Let all your techs, customers, and C-Suite know about the importance of keeping passwords safe and creating unique passwords stored in your preferred password manager tool. You can use a tool like SherpaDesk’s knowledgebase to create articles and on-boarding journeys for your techs and customers to use so that bad password habits don’t creep in.
1-Make sure you always use 2FA (two-factor authentication) when available. Also, set a password complexity policy of 15+ randomly generated characters passwords. Bonus points if you use hardware like YubiKey for your 2FA.
2-Use a solid password management tool like IT Glue, Dashlane, or the others mentioned above and make sure all your team and customers know how to use them and how to install them on their browsers and smartphones.
3-Never store passwords in plain text anywhere on computers or on your network.
4-Setup mail flow rules searching the body or subject line for the keywords "password reset, “confirm your email”, etc. Set it so that those emails get redirected to a manager and train staff and MSP customers to always go to their manager or IT department for internal software password resets.
5- IT Managers and MSPs need to have a strong confidentiality agreement with their customers and internal staff stressing the importance of password security and discouraging staff and customers (through training) from talking about their company’s password security.
6-Setup different admin passwords for each site. Admin passwords should be different for each client and securely stored in your password management system.
7-Third party vendors requesting remote access to one of your clients must be authenticated by management.
8-Develop an authentication strategy with your clients. Create a security phrase for each client for requesting password resets.
9-Keep your customers' mobile phone numbers on file. If a customer calls or chats with a security-related request like a password change, you can then call them back to verify their identity.
10-Set up an authentication protocol for security-related help desk calls. This will prevent issues like a disgruntled employee calling and pretending to be the company owner, saying they were locked out of their email. Or worse still, ask you to point their DNS servers elsewhere!
What password security policies are you currently implementing?