Blog / Security

Security
July 16, 2026 · 6 min read · Nexus Team

The shared admin password is the small-MSP breach nobody budgets for

Ask an incident responder what small-business compromises have in common and credential hygiene shows up before any exotic exploit: a shared admin account used by three people, a password reused across half a dozen client environments, access that outlived the employee it was granted to. None of this is news. It persists because on a small team, the shared password is genuinely convenient — right up until the day it is genuinely catastrophic.

Why shared credentials are uniquely bad for an MSP

  • You hold admin access to many environments at once — a single leaked credential doesn't compromise one company, it compromises a portfolio.
  • Shared accounts destroy attribution: when three techs use one login, "who made this change" is unanswerable, which matters in an incident and matters more in the audit after it.
  • Offboarding becomes a rotation project: when someone leaves, every credential they ever touched is suspect — and if credentials are shared and undocumented, that set is "all of them, probably."
  • Your clients' security questionnaires increasingly ask how their MSP manages privileged access. "A spreadsheet" is an answer that loses deals.

The fix is boring, and that's the point

  • Every credential in a vault, attached to the client and device it belongs to — not in a document, a chat history, or a tech's memory.
  • Access scoped by role: a tech sees the credentials their work requires, and disabling one person's account revokes exactly their access — offboarding in minutes, not a weekend of rotations.
  • Every reveal and every use logged, so attribution exists before the incident that makes you wish it did.
A credential vault is not a security product you buy for the audit. It is the difference between offboarding being a checkbox and being a rotation project across every client you manage.

Credential management in Nexus is designed on exactly this model — vaulted, scoped by role, logged, and attached to the client and device records the rest of the platform already shares, so the vault is where the work already happens rather than a seventh tool. The platform page carries the honest current status of the security suite; the glossary entry on credential vaults covers the general concept if you're evaluating any vendor, including us.

Follow the build as it ships.

Nexus is live in our own MSP operations and opening to a limited design-partner cohort. Join the private-preview list.