Vector
Vector

Choose your topics

Blogs
What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
Blogs
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
Blogs
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Vector-1
Cyber Security

Can a Traditional Password Still Provide Adequate Security?

Can a Traditional Password Still Provide Adequate Security?
Written by

Anna

Published on

20 Jun 2019

Can a Traditional Password Still Provide Adequate Security?

 
 

Here at SureCloud, we are always thinking about security and how to keep organizations safe.

Recently we asked our Operations Director (Cybersecurity) whether the traditional password can still provide adequate security. We also wanted to know if there are potential alternatives to the standard security we currently have. His response is detailed below…

 

Can the traditional password still provide adequate security?

Passwords are still fundamentally core to the user experience in relation to authentication controls. For the most part, technically speaking, there is no reason that the usage of passwords cannot be considered to be secure. A user that utilizes a password manager tool to set strong 64+ character randomized passwords is realistically never going to be compromised from a direct brute-force guessing attack; unless of course poor practices are being followed, such as the re-use of passwords, not changing passwords following a known data breach, and so forth.

 

Alternatives to the standard security we currently have…

However, as the vast majority of users are likely to re-use a password or password pattern between websites and software applications, along with user’s continuing to use passwords that would be considered to be weak due to length, complexity and based on a word or phrase, it is imperative that additional factors are made available or ideally enforced on to users. The use of a One-Time Password or something like a physical smart-card, when used in conjunction with strong passwords would significantly increase the barrier to entry if an attacker is performing a credential stuffing attack. There are methods and tools available for attackers to conduct phishing attacks that can bypass two-factor authentication methods, which ultimately is only really ever going to be mitigated by user security awareness training and improvement.

In the seemingly ever-increasing number of data breaches from both low and high profile organizations, it is not just the end users that require a focus on security via authentication controls. In some breaches, there is evidence that password re-use between staff members with different privileged user accounts was found to be the cause. Internal password policies are also crucial to implement, such as using a password manager application per user.

A password policy should not only define the technical requirements for user account password criteria, but it should also present these additional factor controls as a requirement for all services.

 

About Luke

Luke Potter oversees SureCloud Cybersecurity Solutions. He also manages our Secure Private Cloud. Luke is a recognized cybersecurity expert. He is a CHECK team leader, Tiger Scheme senior security tester, ISO 27001 lead auditor and Microsoft Certified enterprise administrator. Previously, Luke managed the IT team at a large UK insurance brokerage.

 

About SureCloud

SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.