I've noticed that the MSP we work with claims they need to keep end users' passwords to reset them when necessary. However, since our machines are joined through Entra ID, I don't see why they would need access to those passwords at all. Is this a common practice in the industry?
5 Answers
Typically, the only passwords MSPs should hold onto are for specific IT setups, like hardcoded VPN passwords. Keeping end user passwords is risky because it opens doors for potential misuse if there's any kind of compromise.
It's definitely not common for MSPs to keep end user passwords. I'm hoping it's just a misunderstanding with your HR and CTO. There are no valid reasons for MSPs to hold onto those passwords since password resets shouldn't require them.
The CTO also thinks it's strange and mentioned he wants to address this in the upcoming meeting with the MSP. It seems like there's a lot to clarify!
It’s definitely not a standard practice for MSPs to store passwords long-term. They should ideally allow users to reset their passwords through secure methods instead of keeping them in their records.
From what I've seen, some MSPs keep credentials to avoid the hassle of constant password changes, but it's not a best practice. Most concerns about security don't come from the tech side; many businesses just want the cheapest solution without considering risks.
In my experience working with MSPs, none of them have kept end user passwords on file. It's just unnecessary. You could use password managers or temporary access methods that don't involve holding onto user passwords at all. That way, security is prioritized.
Absolutely, and if an MSP is keeping those kinds of passwords, that's a major red flag. You want to ensure they have good practices in place.