Email security, MSP

Password Best Practices and Tips for MSPs

Malware phishing data concept

For MSPs, advising their customers about mobile device management, safe password creation, identity management, and the dangers of weak passwords are some of the most important services that they can provide in 2024. As MSPs and MSSPs increasingly form the first line of defense against cyberattacks, strengthening password security offers a great place to start shoring up their customers' defenses.

SMBs Under Fire

World Password Day is May 2, 2024, and it's a great opportunity to revisit just how easy it is for attackers to overcome weak passwords and a lack of overall password strategy and training efforts. Without strong password security, many SMBs and larger enterprises leave themselves open to devastating cyberattacks, ransomware attacks, and other cybersecurity dangers that can cost business thousands or millions of dollars to resolve.

And it is not just large corporations that face these huge dangers, said Gaidar Magdanurov, president of cybersecurity and data protection vendor, Acronis. “The problem is that most of the customers don't see passwords as a necessary security measure, “ he said. “For them, it is a waste of time. It is super inconvenient.”

This means that MSPs must work even harder to help their SMB customers come to grips with the real threats they are facing if their users are not always practicing secure password habits and procedures, said Magdanurov. “In my experience with MSPs, what actually works is educating customers that bad passwords are going to cost them -- through successful cyberattacks, stolen data, and other repercussions," he said.

MSPs also must fight inaccurate information about the dangers of password attacks and intrusions, said Magdanurov, especially with regard to ransomware attacks on smaller companies in recent years. This problem is growing exponentially as SMBs are increasingly being victimized by these attacks.

“In the past, attacking small business was not profitable for cybercriminals running ransomware attacks because they could not yield large cash ransom payoffs from these smaller businesses," said Magdanurov.  But that has changed, and even SMBs are now the targets of such attacks, which are harder for them to afford to pay and can be more devastating to their smaller operations, especially if ransom amounts rise to thousands or millions of dollars.

“The latest Google Threat Horizons report said 86% of breaches are due to compromised passwords,” he said. “So, basically, almost everything happens because of password weakness.”

How big a problem is this? Ask UnitedHealth Group, whose poor password hygiene eventually resulted in a $22 million ransomware payout to cyberattackers, according to a May 1 story from CNBC.com.  The CEO of the company, Andrew Witty, appeared before a U.S. Senate Committee on Finance hearing about the incident and admitted that the ransom was paid for its subsidiary Change Healthcare. The breach happened because cybercriminals were able to access Change Healthcare through a vulnerable server that was not protected by multi-factor authentication, or MFA. UnitedHealth now uses MFA in all its systems.

Ransom-based cyberattacks are becoming a more common threat vector for SMBs. Magdanurov cited a Mediterranean cybersecurity vendor that is handling a growing number of clients trying to recover from ransomware attacks. “They handled 1,100 ransomware negotiations in the last two years – that's more than twice a day,” he said. “It’s crazy.”

Better Password Education Starts With MSPs

One of the best things that MSPs can do to help protect their customers is to fully and frequently educate their clients and individual users about why strong passwords matter and why they must be vigilant, said Magdanurov.

That means advising customers about how to create strong passwords and policies, giving plenty of easy-to-use examples and lots of specifics on how this affects their business and the security of their jobs if a costly and successful cyberattack occurs. An easy place to start is creating strong passwords using at least eight characters with a generous mix of uppercase and lowercase letters, as well as numbers and symbols.

MSPs can also provide other best practices to customers, including implementing the use of password managers for employees and deploying systemwide password management tools using the features built into Microsoft Entra ID, which was formerly known as Azure Active Directory. Wrapping more controls around passwords to help SMBs better protect themselves is a solid strategy and highly effective, said Magdanurov. This can also include other related strategies including zero-trust layers, deeper identity management, and tightly written password policies.

SMBs that use systemwide password controls will have the best results and protections, said Magdanurov, because they can quickly and easily revoke passwords when an employee leaves the company or if they think an  account is compromised.

Don't Forget Social Media Password Protections

While it is great to batten down the hatches on an SMB's passwords for its systems and business applications, it's also important to use strong passwords for external-facing social media accounts used by employees and the company itself, said Magdanurov.

“SMBs may have some services that are not protected by one central ID, including social media accounts,” he said. User passwords for these accounts must also be configured through an SMB’s password management systems to better protect the company, said Magdanurov. Without thorough planning, these kinds of things can be overlooked and become threat vectors for attacks, he said.

MultiFactor Authentication for Password Protection

Raffael (Raffy) Marty, executive vice president and general manager of cybersecurity for IT services platform vendor, ConnectWise, said other password best practices include multi-factor authentication (MFA) technologies, which add another layer of identity verification and makes passwords stronger.

“It’s a great additional factor of security,” said Marty. “MFA is better than just using passwords.”

Adaptive and zero-trust approaches can also be adopted, which add further protections for passwords and overall IT system security, he said. Zero-trust systems mandate strict verification steps for anyone trying to log into a system and trust no one until they get it, making it a strong protective layer, said Marty.

Fighting Weak Passwords Must Be Constant

Carla Roncato, vice president of identity for MSP cybersecurity platform vendor WatchGuard Technologies, told ChannelE2E that customer education is a never-ending task for SMBs in the cybersecurity wars against attackers.   

“Often, an organization’s password management practices do not reflect the reality of employee password habits and behaviors,” said Roncato. “Year after year, studies like the annual Verizon Data Breach Investigations Report consistently rank the human element as one of the top factors driving breaches. Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people and their passwords continue to play a large role in incidents and breaches alike.”

To battle those threats, corporate cybersecurity training needs to emphasize to employees how important their role is in stopping breaches, starting with the right password practices, she said. “Weak and reused passwords are a hacker’s dream and unfortunately, they have many tools at their disposal to attack and breach organizations, which is why awareness is key for MSPs and MSSPs to help their customers recognize and quantify the level of identity and credential risk.”

Todd R. Weiss

Todd R. Weiss is a contributing editor to ChannelE2E and MSSP Alert. He is an award-winning technology journalist and freelance writer who covers the full range of B2B IT topics. He served as managing editor at EnterpriseAI.news and was a staff writer for Computerworld and eWeek.com. He is a diehard Philadelphia Phillies, Eagles, Flyers and Sixers fan and says he is the world’s worst golfer.

You can skip this ad in 5 seconds