If you’re like anybody who uses computers today, you’re dealing with passwords. I alone have more than 58 just for the websites I use on a regular basis. That doesn’t include any hardware passwords, Wi-Fi passwords, computer logins, or clients’ passwords. We all have too many to remember, and nobody is exactly sure who is responsible for something we all love to hate.
Passwords enable us to restrict access to only those who are permitted. Restriction of access is nothing new. It has been used for thousands of years, such as sentries in Roman times requiring someone to have special knowledge to pass. One thing we do know is that the minute we attempt to restrict access it invites abuse by both those with access and those without.
Why do we still use passwords?
You would think that with all of today’s computing power we would be able to come up with a better method of restricting access than passwords. The problem is not one of technology, though. It’s unfortunately a problem of legality. What am I talking about? In simple terms (I’m just a simple person), the courts can legally issue an order that requires a person to produce anything physical to unlock what is protected.
The courts cannot issue an order that requires a person to produce knowledge to unlock what is protected. That means they can force you to produce a fingerprint or iris scan or other “physical” means of gaining access, but if you know something that unlocks the protected material it’s not legal to force that out of you. Hence, the ubiquitous password or knowledge-based lock is not likely to change anytime soon.
Passwords don’t have problems, do they?
If we only had two or three passwords to remember, it would be much easier for people to manage and deal with. This situation brings us one of the first problems in password usage—reuse of the same password. We’ve all done it. We can’t remember each and every password so we use the same one for all of our accounts.
Eventually, one of the places where we used our “special secret and reused” password WILL get hacked, and when it does, your information (and everyone else’s) is published for all the world to see. The clever hacker then tries your information on every other password-requiring system they can find. If you’re reusing your passwords, your chances of compromise go way up. There is a close sibling to this problem, and that is never changing your password. If you regularly change your passwords, the chance of an account being hacked goes down.
In addition to the previous problems, there is the challenge of “documenting” of your password. Does anyone remember the movie Ferris Bueller’s Day Off? Ferris knew where the school employees wrote the computer password down. Ever walk into an office and see a computer monitor with a bunch of sticky notes on it with every password they need? With today’s cellphone cameras you can walk into an office, snap a picture of the monitor, review the picture later, and zoom in on all that private information. The person who walks into the office pretending to sell cookies or candy just might be a hacker in disguise—pretending to be on a call as they snap away.
What can be done about the problem?
The most recent attempt at preventing access is by requiring more than one thing to grant access. This method is called multi-factor authentication. In this method, we require the person to know something, like a password, and to have something, like a cellphone to send a text to or an email account or perhaps a fob on their keyring or employee badge. With multi-factor authentication, even if you know the user name and password, you still cannot get access. The down side to this method is that not all systems are able to take advantage of this capability. Hardware passwords are an example of this.
What’s an MSP to do?
View this situation as an opportunity, NOT an obstacle! Here are some facts for the MSP to ponder. The government is now requiring a more responsible attitude about passwords. Beginning this year, any tax preparation software that is blessed by the IRS requires complex passwords that are rotated every 90 days, and QuickBooks is following suit. Just imagine the problem for accounting firms with dozens or hundreds of clients’ QuickBooks files that need to be kept up to date.
Think about the potential for helping customers solve this ever-expanding password management problem. But, you need to do it right, and that means fixing yourself first. As the saying goes, you need to try walking yourself on a leash, eat your own dog food, walk your talk, practice what you preach, whatever cliché you prefer it all means the same thing—you need to be able to manage your own passwords.
Find a password management product that you like and can rebrand as your own product (just like what you can do with Intronis ECHOplatform). The password management product should also enable you to share information with others, and it should have an audit trail of who has seen or done what in case there is employee turnover for the MSP or the client. THEN change any default passwords for hardware and software. NEVER use the same password twice, and remove any visible physical evidence of passwords. Lastly, improve the quality of your passwords — think length over complexity.
We have found that offering a password management system in combination with Intronis backup to be a very compelling and cost effective way of “getting in the door” with new clients and increasing the stickiness of existing clients. If a client isn’t committed to proper password management and backup, they will tend to be problematic and difficult to maintain within a fixed-price managed services plan.
Photo: Rubén Bagüés via Unsplash.com