SureCloud logo
Talk to sales
Toggle Menu
Close Widget

Security Testing – Back to Basics – Why sharing passwords is a bad idea

Sharing passwords in your everyday life

The majority of users on your network are choosing  passwords which are memorable and related to them in some way. Whether that be a pet’s name, football team, a location, special date or a variation of the day,  week, month or the year. After all this is very much human nature, users try to select passwords which they can remember easily without the need to ‘write them down’. This habit extends to using the same or a similar password for all online accounts.

Take your own password for instance, think about where else this password is used. Facebook, Twitter,  email – now think, do you use that same password or a very similar variation of it at work?  How serious would it be if your password was obtained? The attacker would have access to all your personal and work accounts. Also, consider where you are potentially displaying that password to the world, for example when is the last time you put a snap of you attending your team’s match or favourite place on twitter/facebook? When is the last time that you took a ‘cute’ photograph of your pet and posted it to the world? I bet if you really look at your social media profiles you would find that you are displaying your password to the world in some way.

Performing a Penetration Test

It’s absolutely critical that you and all staff are very much encouraged to set unique passwords for all systems and never share passwords used in your  ‘personal life’ with any work  system (including website logins).  There are numerous free and cost effective password managers available, which can help your organisation manage this process.  Ultimately, it’s a user education process.  Our guidance is to highlight the real threat of password sharing. As ever, users are the weakest link in the security chain but it’s these users that are often your first line of defence. Let’s get them on side here and ensure that we are all working towards better security practice.

Sharing passwords across systems and level of account

It’s not just the ‘users’ that can be the key weakness with password re-use. IT staff and system administrators are often at fault as well. For example, IT staff will often have multiple  accounts (user, administration, domain administration etc). It’s absolutely critical that they are using  unique passwords between their accounts, so that a compromise of one account does not immediately  compromise the others. Think also about password re-use across networks (domains etc) – again, all of these passwords should be unique. This should also extend to password re-use on servers.

It’s very common when carrying out security testing that local passwords are used on all servers and workstations. Therefore, a compromise of one service and/or workstation leads to compromise of the others. Microsoft has a great free too called Local Administrator Password Solution (LAPS), which help to manage unique passwords throughout the Windows estate. See LAPS here.

Pass-the-hash

Even if you use a strong password, if it can’t be cracked (but is still shared) an attacker or penetration tester can use a “pass-the-hash” technique to authenticate (and compromise) all systems.

Choosing a password

Choosing a complex and “secure” password isn’t rocket science, but there are a few key recommendations to follow:

  • Normal accounts should have a password no less than 10 characters;
  • Accounts with access to sensitive information or which are administrative accounts should have at least 15 characters;
  • The password should contain uppercase, lowercase, numbers and special characters; and
  • Do not pick a dictionary word, pick a set of words, a saying or some lyrics

How can we help?