21st July 2016
The majority of users on your network are choosing passwords which are memorable and related to them in some way. Whether that be a pet’s name, football team, a location, special date or a variation of the day, week, month or the year. After all this is very much human nature, users try to select passwords which they can remember easily without the need to ‘write them down’. This habit extends to using the same or a similar password for all online accounts.
Take your own password for instance, think about where else this password is used. Facebook, Twitter, email – now think, do you use that same password or a very similar variation of it at work? How serious would it be if your password was obtained? The attacker would have access to all your personal and work accounts. Also, consider where you are potentially displaying that password to the world, for example when is the last time you put a snap of you attending your team’s match or favourite place on twitter/facebook? When is the last time that you took a ‘cute’ photograph of your pet and posted it to the world? I bet if you really look at your social media profiles you would find that you are displaying your password to the world in some way.
It’s absolutely critical that you and all staff are very much encouraged to set unique passwords for all systems and never share passwords used in your ‘personal life’ with any work system (including website logins). There are numerous free and cost effective password managers available, which can help your organisation manage this process. Ultimately, it’s a user education process. Our guidance is to highlight the real threat of password sharing. As ever, users are the weakest link in the security chain but it’s these users that are often your first line of defence. Let’s get them on side here and ensure that we are all working towards better security practice.
It’s not just the ‘users’ that can be the key weakness with password re-use. IT staff and system administrators are often at fault as well. For example, IT staff will often have multiple accounts (user, administration, domain administration etc). It’s absolutely critical that they are using unique passwords between their accounts, so that a compromise of one account does not immediately compromise the others. Think also about password re-use across networks (domains etc) – again, all of these passwords should be unique. This should also extend to password re-use on servers.
It’s very common when carrying out security testing that local passwords are used on all servers and workstations. Therefore, a compromise of one service and/or workstation leads to compromise of the others. Microsoft has a great free too called Local Administrator Password Solution (LAPS), which help to manage unique passwords throughout the Windows estate. See LAPS here.
Even if you use a strong password, if it can’t be cracked (but is still shared) an attacker or penetration tester can use a “pass-the-hash” technique to authenticate (and compromise) all systems.
Choosing a complex and “secure” password isn’t rocket science, but there are a few key recommendations to follow: