How MSPs can efficiently manage Client Passwords - Credential chaos to centralized control

Pooja Ramesh

August 31, 2024 . 4 min read

Share on LinkedIn Share on X Copy to Clipboard

Cluttered management of client passwords invites cyberattacks

MSPs deal with several clients across multi-tenant networks to manage their IT and network infrastructure. They constantly need to access servers, databases, network devices and other IT resources. Access to these systems requires login credentials that MSPs need to protect and keep client information secure.

The amount of sensitive customer credentials (including passwords, SSH keys, API keys, Shared TOTPs etc.) to be managed is exponentially larger than a standard organization. Without centralized management, the multitude of passwords that need to be managed results in uncontrolled distribution. Passwords are often stored and managed separately by different teams and maintained using different tools. Ultimately this leads to poor, de-centralized password management.

MSPs need to secure passwords, ensuring that external attackers/malicious insiders don’t get unauthorized access to client systems. Any breach occurring on the MSP side holds them accountable for the leak of client data, resulting in heavy monetary fines and complicated lawsuits.

With attackers targeting MSPs for their “breach one, breach all” advantage, managed service providers must work hard to avert weak client password management practices.

Some common flaws observed in the password management practices adopted by managed IT service providers are:

  • Password Reuse by MSP Technicians

    MSP technicians frequently need to deal with client passwords to connect to remote systems, assist with IT helpdesk tickets, or carry out technical fixes. And quite often, MSP technicians work with passwords of more than one client at a given time. With multiple customers in play, it becomes difficult to remember several passwords and maintain complexity on all of them. To keep this process uncomplicated, technicians end up using the same strong password for all client accounts/devices. Repeated usage of the same credential increases the susceptibility of cyberattacks, as a successful breach of one client system will lead to the compromise of all others.

  • Unsafe Password Storage Practices

    Commonly adopted password storage methods such as writing them down on a notepad, storing it online apps like excel sheet without encryption etc. are inadequate as they can be easily exploited. Passwords stored in plaintext can be easily viewed, and those stored on notepads or scripts can be misused by anyone who has access to the storage location. Excel is not meant to be used as a password manager, even if it is password protected, excel does not encrypt the passwords within. Unencrypted storage increases the chances of compromise by both malicious insiders and external attackers.

  • Insecure Sharing of Client Admin Accounts

    To enable technicians to access client systems, MSP administrators often set up an admin account on the client domain and share its login credentials and MFA tokens among multiple users. The usage of these credentials lacks monitoring since they are shared across several users and teams. Any mishaps in the sharing and handling of these credentials may result in unauthorized access of client systems and ultimately trigger data breaches.

    Bad actors take advantage of the flaws in client password management practices to launch different types of attacks:

    Credential Stuffing - Using stolen credentials from one breach to gain access to additional accounts using the same credentials to expand their access within the client network. The attack uses bots for automation and is based on the assumption that many users reuse usernames and passwords across multiple services.

    Brute Force Attack - Where attackers repeatedly try several combinations in a trial-and-error method to guess a single password until they hit the jackpot.

    To prevent these attacks from being successful, each client password should be unique, complex, periodically rotated, and constantly checked for compromise to improve security and preserve client information.

How can MSPs centralize and streamline client password management?

To streamline management of client passwords and prevent password attacks, certain best practices need to be followed:

Best Practice #1: Bring all client passwords under the same umbrella – Gather all the client passwords stored in random places (i.e., text files, sticky notes, spreadsheets) and store them in a centralized repository. This practice securely organizes credentials and helps MSP administrators manage access to sensitive information from a single place with appropriate access control mechanisms. It also helps reduce the risk of forgotten passwords and encrypting the password repository boosts overall security.

Best Practice #2: Periodically rotate all passwords – Passwords should be updated/changed regularly to mitigate the risk of unauthorized access, making it difficult for attackers to utilize compromise stolen or leaked credentials. To improve security, make each password strong and unique, using a combination of letters, numbers, and special characters. Implementing frequent password rotation reduces the chance of password reuse while also protecting sensitive information from threats.

Best Practice #3: Share passwords securely and audit all access – While sharing passwords with technicians, provide access to the passwords with appropriate access control based on their job roles and responsibilities. For example, an MSP administrator can grant full password access to their expert T3 technicians and time-limited, restricted password access to their T1/T2 support technicians. This granular access provides just enough privileges for technicians for the appropriate amount of time averting the risk of unauthorized access.

Best Practice #4: Avoid sharing passwords via insecure channels – Sharing passwords in plain text via channels like email, chat or shared excel sheets should be avoided. Moreover, all password activities like addition, deletion, rotation etc. should be completely captured and recorded as tamper-proof audit trails. This helps establish complete visibility and accountability and comes in handy during security and forensic audits.

Enforcing these best practices requires consistent, rigorous effort by MSP administrators. MSP password managers alleviate the time-consuming labor required to securely manage client credentials and help automate the entire process.

How Securden Password Vault Helps MSPs Enforce Password Security Best Practices

Securden Password Vault is a password management solution that helps MSPs centrally manage client passwords, provision time-limited access to credentials and securely share client admin accounts within the MSP environment.

  • Securely Store Client Passwords with Complete Data Segregation – Securden Password Vault provides a folder hierarchy that helps MSP administrators completely isolate passwords belonging to various client organizations. By grouping different client passwords into different folders, and providing the right level of control to technicians accessing the passwords, MSP administrators can prevent password sprawl and achieve centralized visibility and control.
  • Enforce Multi-factor Authentication to Sensitive Client Accounts – Securden helps MSPs enforce multi-factor authentication for client password access by integrating with a wide range of MFA solutions such as Mail OTP, Google/Microsoft/TOTP Authenticator, RADIUS Authentication, Email to SMS Gateway, Duo Security, YubiKey and more.
  • Automate Periodic Rotation of Passwords – Through automated password rotation and randomization, Securden improves security by lowering the likelihood of unauthorized access and increasing adherence to security standards by ensuring that credentials are changed at regular intervals with complex, unpredictable passwords. This greatly reduces the security threats posed by identity theft.
  • Achieve Granular Access Control – Securden helps establish account ownership and enforce granular access control. MSP administrators can make sure that technicians only have access to data associated with the clients they manage. Securden also provides another layer of restriction by facilitating one-click remote connections with servers, databases, devices, and applications on client systems (RDP, SSH, and SQL connections) without revealing the underlying passwords to the technicians.
  • Help Clients Demonstrate Regulatory Compliance – With good password practices in place, MSPs can help their clients demonstrate compliance with various industrial and government regulations. Furthermore, it’s necessary for MSPs themselves to adhere to various compliance mandates depending on the customer base they cater to. For example, MSPs managing healthcare organizations must also be HIPAA compliant. Securden Password Vault for Enterprises can help clients with compliance by providing comprehensive reports on which technicians accessed what client passwords and what actions they took with them.
  • Versatile Solution for all MSP Operating Models – Securden Password Vault provides complete operational flexibility and caters to all types of MSP IT models including fully managed, co-managed, and hybrid set ups. It offers provisions to securely share passwords with client end-users and IT personnel in multi-tenant networks. Clients can be granted granular control over the accounts and passwords belonging to their organization. Customization capabilities allow defining separate password rules and policies to cater to individual customer requirements.

If you are a managed service provider (MSP) or a managed security service provider (MSSP) looking to automate and orchestrate client password management, feel free to take a look at Securden Password Vault for MSPs.

If you wish to learn more, you can schedule a free technical consultation/demo with our product experts.

Recent Topics

A Complete Guide to PAM Pricing
A Complete Guide to PAM Pricing:Cost Components, Pricing Models, and Hidden Costs

Cyber attacks, insider exploitation and data leaks pose significant ...

Henry David September 9, 2024

What is Just-in-Time Access(JIT)?
What is Just-in-Time Access? A Complete Guide

Being a chief information security officer, network security manager, or IT ...

Audrey Rose September 6, 2024

Client password management
How MSPs can efficiently manage Client Passwords - Credential chaos to centralized control

MSPs deal with several clients across multi-tenant networks to manage their ...

Pooja Ramesh August 31, 2024

Client password management
A wake-up call to fortify password security

Mother of all breaches – Reinforces the need for enhanced password security ...

Zaheeruddin Ahmed February 7, 2024

Popular Topics

Client password management
A wake-up call to fortify password security

Mother of all breaches – Reinforces the need for enhanced password security ...

Zaheeruddin Ahmed February 7, 2024

Client password management
Local admin rights for Developers: Balancing the scales between basic necessity and security risk

Developers work with a variety of tools in the CI/CD pipeline and often experiment with a lot of things...

Shyam Senthilnathan January 25, 2024

Privileged Access Management Best Practices for Unparalleled Security
Privileged Access Management Best Practices for Unparalleled Security

Privileged accounts are the keys to your kingdom. Protecting and managing access to these sensitive...

Pradhyumnan December 21, 2023

Endpoint Privilege Management: Filling the gaps in Intune (Part 2)
Endpoint Privilege Management: Filling the gaps in Intune (Part 2)

Intune EPM (Now Microsoft Entra) helps organizations manage admin rights in a very basic manner ...

Shyam Senthilnathan October 10, 2023
Endpoint Privilege Management: The local admin rights dilemma (Part 1)
Endpoint Privilege Management: The local admin rights dilemma (Part 1)

The debate over giving unrestricted admin rights is a constant struggle between IT staff and employees in ...

Shyam Senthilnathan October 6, 2023
Client password management
2013 Target Data Breach: 10 Years On, but the Same Threat Pattern Looms Large!

Hackers targeted the low-hanging fruit, launched an unsophisticated attack, and carried out a massive breach ...

Himaya Presthitha July 25, 2023

Privileged Access Management Best Practices for Unparalleled Security
Password management best practices: Practice or Pay!

Passwords leaked from data breaches in the past continue to cause ripples in 2023, even amidst organizations with modern ...

Shyam Senthilnathan May 26, 2023

Identity thefts and data breaches - The aftermath of privileged access mismanagement
Identity thefts and data breaches - The aftermath of privileged access mismanagement

Cybersecurity is a growing concern for businesses of all sizes, as advanced hackers and cybercriminals constantly seek new ...

Zaheeruddin Ahmed December 27, 2022

Spate of cyberattacks rock the land down under
Spate of cyberattacks rock the land down under

As we move close to the end of the year, the horrors of Halloween continue to haunt the land down under. Media channels are ...

Rajaraman Viswanathan November 25, 2022

Make this Thanksgiving a memorable one. Treat yourself to a surprise!
Make this Thanksgiving a memorable one. Treat yourself to a surprise!

Participate in the Securden Thanksgiving 2022 campaign. All you have to do is simply tag fellow sysadmins and other designated ...

Zaheeruddin Ahmed November 21, 2022

The Spooky Season is here early! Recent data breaches re-emphasize the significance of password security
The Spooky Season is here early! Recent data breaches re-emphasize the significance of password security

As Halloween is dedicated to remembering the martyred, organizations falling victim to data breaches remind us of the importance ...

Shyam Senthilnathan October 20, 2022

We're at GITEX, Dubai. Come, meet us!
We're at GITEX, Dubai. Come, meet us!

Are you planning to participate in GITEX, Dubai? If yes, this is a great opportunity to meet our product experts and get a personalized ...

Zaheeruddin Ahmed October 10, 2022

May God defend me from my friends
May God defend me from my friends

As stories of trusted insiders causing information security breaches continue to unfold, it’s time organizations woke up to ...

Raja Viswanathan December 21, 2022

Ransomware attack on Colonial Pipeline: Executing cyberattacks, now a child's play!
Ransomware attack on Colonial Pipeline: Executing cyberattacks, now a child's play!

With the easy availability billions of compromised credentials on the dark web, and the practice of password reuse ...

Balasubramanian Venkatramani June 7, 2022

Local Admin Accounts Management: Eliminating Admin Rights and Controlling Applications (Part 3)
Local Admin Accounts Management: Eliminating Admin Rights and Controlling Applications (Part 3)

One of the most effective approaches to reducing risks is eliminating the local admin accounts altogether and ...

Raja Viswanathan May 17, 2022

Looking for a Passwordstate alternative?
Looking for a Passwordstate alternative?

Passwordstate, an enterprise password manager developed by Click Studios, suffered a supply chain attack between April 20 and April 22. The company ...

Jithukrishnan Apr 30, 2022

Local Admin Accounts Management: Microsoft LAPS Vs. PAM (Part-2)
Local Admin Accounts Management: Microsoft LAPS Vs. PAM (Part-2)

In the previous post, we dealt with the importance of local admin accounts, the associated security risks, and the need for managing them properly ...

Raja Viswanathan April 06, 2022

Top 10 password policy recommendations for system administrators in 2021
Top 10 password policy recommendations for system administrators in 2021

Passwords are omnipresent in our personal and business digital environments. An average person has at least a dozen passwords to remember for various accounts, and it is not ...

Jithukrishnan June 12, 2022

Local Admin Accounts - Security Risks and Best Practices (Part 1)
Local Admin Accounts - Security Risks and Best Practices (Part 1)

We are all too familiar with the local administrator account that gets created automatically when installing a Windows computer. The local admin is all ...

Raja Viswanathan March 19, 2022

Poor password security practices cause massive security breaches
Poor password security practices cause massive security breaches

Weak passwords, password reuse, password sharing, hard-coded credentials, lax measures to storing credentials are rampant even in big enterprises ...

Balasubramanian Venkatramani March 13, 2022

Top 10 password policy recommendations for system administrators in 2021
Remote work, pirated software, and local admin rights: A deadly cocktail

It is often said that the endpoints are the most vulnerable part of the network as they are increasingly becoming an entry ...

Raja Viswanathan December 08, 2021

Securden vs. Competitors: A Story of Point-and-Click Simplicity vs. Complex, Illusory Superiority
Securden vs. Competitors: A Story of Point-and-Click Simplicity vs. Complex, Illusory Superiority

The story of how a large government agency eliminated admin privileges on endpoints and implemented on-demand application elevation ...

Balasubramanian Venkatramani October 29, 2021

Florida Water Treatment Plant Hack: A Wake-Up Call to Strengthen Basic Security Measures, Password Hygiene
Florida Water Treatment Plant Hack: A Wake-Up Call to Strengthen Basic Security Measures, Password Hygiene

One of the worst fears of humanity came true last week. Ever since cyberattacks started increasing in variety affecting organizations of all ...

Balasubramanian Venkatramani Feburary 13, 2021

Passwords and their management: A tale of two decades
Passwords and their management: A tale of two decades

Last week, I came across an interesting research on cybersecurity practices during the past decade (2010-20) by Jean-Christophe Gaillard ...

Balasubramanian Venkatramani October 09, 2020

Windows Server Privilege Escalation: Security Issues and Best Practices
Windows Server Privilege Escalation: Security Issues and Best Practices

One of the most difficult aspects of security in a Windows environment is keeping visibility to and control over Windows privileges ...

Rajaraman Viswanathan August 24, 2020

A hacker’s prescription to prevent ransomware attacks
A hacker’s prescription to prevent ransomware attacks

Perpetrators of CWT ransomware attack recommend password rotation, admin rights removal, and application control as tips to prevent attacks ...

Balasubramanian Venkatramani August 03, 2020

Application Password Management Using APIs
Application Password Management Using APIs

There is arguably not a more important topic in the technology world today than security. Security can no longer be an afterthought for organizations serious ...

Rajaraman Viswanathan July 15, 2020

Read more blogs...
Securden Help Assistant

Thanks for sharing your details.
We will be in touch with you shortly

Thanks for sharing your details.
We will be in touch with you shortly