One of the most important elements to think about when creating MSP security strategies is password creation. Numerous businesses and organizations have been compromised due to poor password-creation practices. Applications, websites and general software used in commercial setup require the creation of accounts, and the passwords for these accounts tend to be thought up quickly, leading to imperfect results.
As users have scrambled to create easy-to-remember passwords that conform to site-specific regulations, hackers and other malicious persons have dedicated their efforts to creating password-cracking resources for illicit purposes. This puts companies at a high risk of losing confidential data. Fortunately, the United States National Institute of Standards and Technology (NIST) has formulated new guidelines for password policies to better protect accounts.
These established guidelines can serve as great tools to help you help you create better password policies in your MSP business and elevate the security for your commercial clients.
Best Practices for Modern Password Security
Establish User-Friendly Password Policies
Make sure that password rules are user-friendly when creating password policies for your commercial clients. In simple terms, creating a password should not put a burden on the individuals establishing an account. This practice ensures that users are not stressed by the creation process, which can lead to better passwords and greater password retention.
Consider the Password Length
The NIST guidelines suggest that the passwords used to secure accounts should be at least eight characters long. This password length is important for enhancing your MSP security and improving the protection provided to your IT clients. However, if the data secured in the system or account is sensitive, the minimum characters should be more. Maximum character count is also important in the new guidelines. The NIST recommends raising the maximum from the typical 16 characters to a more secure count of 64.
Compare with Common Passwords
For the sake of retention, many users create common passwords that are easily cracked. These passwords may include variations on a username or site name, dictionary entries or sequential numbers, and while easy to remember, these passwords are easy to guess. These common passwords create major vulnerability for any business because hackers will check the account against them. A blacklist of banned words prevents users from selecting known passwords and minimizes the risk of account compromise.
What You Should Avoid
The NIST recommends eliminating composition guidelines in new password policies. Complicated password guidelines can frustrate a user, which often leads to simple passwords that are easy to crack. For example, users capitalize the first letter of their usual password and add the number 1 to the end to conform to a composition policy that requires one capital letter and one number. Hackers know this and input this typical formula to crack passwords.
Password hints may seem like a user-friendly feature for those who have forgotten their password. However, password hints present a security weakness that hackers can exploit to gain access to accounts. For optimal security, new password policies should not include a provision for hints.
There are numerous accounts and systems which use knowledge-based authentication, and it may seem like a great feature if a user forgets their password and needs to gain access to the account. However, this method is one of the most unreliable for user identification. The questions used in knowledge-based authentication are often general and can be answered with a little research on social media.
The new NIST guidelines on password creation take into consideration users and at the same time the authentication processes that deter hacking. In order to make passwords harder to crack, the process includes actionable feedback on password strength. Along with lenient requirements, these guidelines help users create passwords that are easy to remember without being easy to decrypt, leading to better MSP security.