Choose your topics

How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
The Top 4 Challenges of Risk Management

What are the top four challenges of risk management today and how can you overcome them? Find out in this post from SureCloud.

Third-Party Risk Management GRC
Transform Compliance into Your Competitive Advantage

In GRC, compliance is often viewed as a cost that makes it harder to pursue growth. Here's how to make it your competitive advantage.

Compliance Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Cyber Security

Security Testing Back to Basics: Why is sharing passwords a bad idea?

Security Testing Back to Basics: Why is sharing passwords a bad idea?
Written by

Ellie Owen

Published on

30 Oct 2016

Security Testing Back to Basics: Why is sharing passwords a bad idea?


Understanding where potential vulnerabilities exist in your security posture is a big part of cybersecurity risk management. In many instances, the most significant vulnerabilities come in the form of your employees – sharing passwords across work and personal accounts, for example, is one of the most common mistakes that staff will make. A robust cybersecurity training programme, alongside an effective cyber and IT risk management plan, can root out any misunderstandings and make sure that all of your employees are on the same page.


Sharing passwords in your everyday life

The majority of users on your network are choosing passwords which are memorable and related to them in some way. Whether that be a pet’s name, football team, a location, special date or a variation of the day, week, month or the year. After all, it is just human nature to select passwords which they can remember easily without the need to ‘write them down’. This habit extends to using the same or a similar password for all online accounts.


Take your own password for instance, think about where else this password is used. Facebook, Twitter,  email – now think, do you use that same password or a very similar variation of it at work?  How serious would it be if your password was obtained? The attacker would have access to all your personal and work accounts. Also, consider where you are potentially displaying that password to the world, for example when is the last time you put a snap of you attending your team’s match or favourite place on twitter/facebook? When is the last time that you took a ‘cute’ photograph of your pet and posted it to the world? I bet if you really look at your social media profiles you would find that you are displaying your password to the world in some way.


Performing a Penetration Test

It’s absolutely critical that you and all staff are encouraged to set unique passwords for all systems and never share passwords used in your ‘personal life’ with any work system (including website logins). There are numerous free and cost effective password managers available, which can help your organisation manage this process – making sharing passwords unnecessary. Ultimately, it’s a user education process; our guidance can simply highlight the very real threats that come with password sharing. As ever, users are the weakest link in the security chain, but, as a direct result, your users are also your first line of defense. Let’s get them on side here and ensure that we are all working towards better security practice.


Penetration testing is just one of the ways that businesses can uncover users that have not met password standards. In our penetration testing services, we run the same kind of attacks that genuine cyberattackers would, giving you accurate insight into where improvements need to be made.


Sharing passwords across systems and account levels

It’s not just the ‘users’ that can be the key weakness with password re-use. IT staff and system administrators are often at fault as well. For example, IT staff will often have multiple accounts (user, administration, domain administration etc). It’s absolutely critical that they are using unique passwords between their accounts, so that if one account is compromised, it doesn’t immediately compromise the others.


Think also about password re-use across networks (domains etc) and servers – again, all of these passwords should be unique.


It’s very common when carrying out security testing that local passwords are used on all servers and workstations. Therefore, a compromise of one service and/or workstation leads to compromise of others. Microsoft has a great free tool called Local Administrator Password Solution (LAPS), which help to manage unique passwords throughout the Windows estate. See LAPS for more information.



Even if you use a strong password, if it can’t be cracked (but is still shared) an attacker or penetration tester can use a “pass-the-hash” technique to authenticate (and compromise) all systems.


Choosing a password

Choosing a complex and “secure” password isn’t rocket science, but there are a few key recommendations to follow:

  • Normal accounts should have a password no less than 10 characters;
  • Accounts with access to sensitive information or which are administrative accounts should have at least 15 characters;
  • The password should contain uppercase, lowercase, numbers and special characters; and
  • Do not pick a dictionary word, pick a set of words, a saying or some lyrics


Managing your security protocols with SureCloud

The key solution to password sharing is through education. Cyber training programmes like ours help spread the word throughout your organisation; so no user gets left behind, and no user account is unnecessarily vulnerable. The next step to becoming secure is heading over to our cyber training services; or, take a look at the cybersecurity products that we offer.


About SureCloud

SureCloud is a provider of Cybersecurity services and cloud-based, integrated Risk Management products, which reinvent the way you manage risk. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture. SureCloud not only offers a wide range of Cybersecurity testing and assurance services, but crucially, we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation.