Penetration test exposes poor password habits
(Last updated on October 7, 2020)
With threats to your environment emerging on regular basis, your organisation is more susceptible to attacks than ever before. Early detection of vulnerabilities can help you understand what can be compromised, and how you can prevent it. Penetration testing with a third-party security team simulating intruder-like attacks, is an effective method in exposing vulnerabilities. Many compliance standards, such as PCI DSS, require or recommend annual penetration testing performed by a third party.
One of the most common reasons organizations fail penetration tests is their ineffective password policies and the use of weak passwords. The following password issues are still prevalent in many organizations:
- The use of default or weak passwords: This is very common within organizations and indicative of a poor security policy – resulting in successful penetration.
- The use of incremental passwords: Users adding numbers to the end of root passwords to cope with frequent password change requests
- Password reuse: Insecure yet common practice by employees who reuse their corporate password on other online accounts. Administrators aren’t exempt, as they also use the same password for their domain account and other elevated accounts.
- The use of leaked and stolen passwords: Users not only reuse their own passwords but other people’s too. With 1.4 billion leaked passwords circulating the Dark Web today, checking user passwords against a list of leaked password is more important than ever.
If some of these security holes are identified in your environment, you need to take immediate action to close off the vulnerabilities. These are the two main steps to take action on:
- A technological approach to patching those holes is the first step in boosting password security. Specops Password Policy can help your organizations enforce strong passwords and discourage bad habits. Specops Password Policy allows you to:
- Check for partial or full usernames in passwords
- Block consecutive characters
- Block common characters at the beginning or end of passwords
- Block dictionary words
- Block any passwords from past leaks
- Enable passphrases
- The next step is to address the human factor – employees make common mistakes because they aren’t aware of the security risks. Government and industry regulations require security awareness training. Organizations should communicate password best practices with their users, and schedule on-going training on potential threats.