Security Testing Back to Basics: Why is sharing passwords a bad idea?

Understanding where potential vulnerabilities exist in your security posture is a big part of cybersecurity risk management. In many instances, the most significant vulnerabilities come in the form of your employees – sharing passwords across work and personal accounts, for example, is one of the most common mistakes that staff will make. A robust cybersecurity training programme, alongside an effective cyber and IT risk management plan, can root out any misunderstandings and make sure that all of your employees are on the same page.

Sharing passwords in your everyday life

The majority of users on your network are choosing passwords which are memorable and related to them in some way. Whether that be a pet’s name, football team, a location, special date or a variation of the day, week, month or the year. After all, it is just human nature to select passwords which they can remember easily without the need to ‘write them down’. This habit extends to using the same or a similar password for all online accounts.

Take your own password for instance, think about where else this password is used. Facebook, Twitter,  email – now think, do you use that same password or a very similar variation of it at work?  How serious would it be if your password was obtained? The attacker would have access to all your personal and work accounts. Also, consider where you are potentially displaying that password to the world, for example when is the last time you put a snap of you attending your team’s match or favourite place on twitter/facebook? When is the last time that you took a ‘cute’ photograph of your pet and posted it to the world? I bet if you really look at your social media profiles you would find that you are displaying your password to the world in some way.

Performing a Penetration Test

It’s absolutely critical that you and all staff are encouraged to set unique passwords for all systems and never share passwords used in your ‘personal life’ with any work system (including website logins). There are numerous free and cost effective password managers available, which can help your organisation manage this process – making sharing passwords unnecessary. Ultimately, it’s a user education process; our guidance can simply highlight the very real threats that come with password sharing. As ever, users are the weakest link in the security chain, but, as a direct result, your users are also your first line of defense. Let’s get them on side here and ensure that we are all working towards better security practice.

Penetration testing is just one of the ways that businesses can uncover users that have not met password standards. In our penetration testing services, we run the same kind of attacks that genuine cyberattackers would, giving you accurate insight into where improvements need to be made.

Sharing passwords across systems and account levels

It’s not just the ‘users’ that can be the key weakness with password re-use. IT staff and system administrators are often at fault as well. For example, IT staff will often have multiple accounts (user, administration, domain administration etc). It’s absolutely critical that they are using unique passwords between their accounts, so that if one account is compromised, it doesn’t immediately compromise the others.

Think also about password re-use across networks (domains etc) and servers – again, all of these passwords should be unique.

It’s very common when carrying out security testing that local passwords are used on all servers and workstations. Therefore, a compromise of one service and/or workstation leads to compromise of others. Microsoft has a great free tool called Local Administrator Password Solution (LAPS), which help to manage unique passwords throughout the Windows estate. See LAPS for more information.

Pass-the-hash

Even if you use a strong password, if it can’t be cracked (but is still shared) an attacker or penetration tester can use a “pass-the-hash” technique to authenticate (and compromise) all systems.

Choosing a password

Choosing a complex and “secure” password isn’t rocket science, but there are a few key recommendations to follow:

• Normal accounts should have a password no less than 10 characters;
• Accounts with access to sensitive information or which are administrative accounts should have at least 15 characters;
• The password should contain uppercase, lowercase, numbers and special characters; and
• Do not pick a dictionary word, pick a set of words, a saying or some lyrics

Managing your security protocols with SureCloud

The key solution to password sharing is through education. Cyber training programmes like ours help spread the word throughout your organisation; so no user gets left behind, and no user account is unnecessarily vulnerable. The next step to becoming secure is heading over to our cyber training services; or, take a look at the cybersecurity products that we offer.

About SureCloud

SureCloud is a provider of Cybersecurity services and cloud-based, integrated Risk Management products, which reinvent the way you manage risk. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture. SureCloud not only offers a wide range of Cybersecurity testing and assurance services, but crucially, we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation.