Blog / Security
The shared admin password is the small-MSP breach nobody budgets for
Ask an incident responder what small-business compromises have in common and credential hygiene shows up before any exotic exploit: a shared admin account used by three people, a password reused across half a dozen client environments, access that outlived the employee it was granted to. None of this is news. It persists because on a small team, the shared password is genuinely convenient — right up until the day it is genuinely catastrophic.
Why shared credentials are uniquely bad for an MSP
- You hold admin access to many environments at once — a single leaked credential doesn't compromise one company, it compromises a portfolio.
- Shared accounts destroy attribution: when three techs use one login, "who made this change" is unanswerable, which matters in an incident and matters more in the audit after it.
- Offboarding becomes a rotation project: when someone leaves, every credential they ever touched is suspect — and if credentials are shared and undocumented, that set is "all of them, probably."
- Your clients' security questionnaires increasingly ask how their MSP manages privileged access. "A spreadsheet" is an answer that loses deals.
The fix is boring, and that's the point
- Every credential in a vault, attached to the client and device it belongs to — not in a document, a chat history, or a tech's memory.
- Access scoped by role: a tech sees the credentials their work requires, and disabling one person's account revokes exactly their access — offboarding in minutes, not a weekend of rotations.
- Every reveal and every use logged, so attribution exists before the incident that makes you wish it did.
A credential vault is not a security product you buy for the audit. It is the difference between offboarding being a checkbox and being a rotation project across every client you manage.
Credential management in Nexus is designed on exactly this model — vaulted, scoped by role, logged, and attached to the client and device records the rest of the platform already shares, so the vault is where the work already happens rather than a seventh tool. The platform page carries the honest current status of the security suite; the glossary entry on credential vaults covers the general concept if you're evaluating any vendor, including us.