Máte otázky? Zavolajte nám
+421 903 766 446

Holistic password security

Project Information

Clients
ThemeMu Studio
Date
December 11, 2016
Services
Consulting, financial

How safe are your passwords from a cyber attack?

The WHY?

The goal of passwords is to protect assets and resources while ensuring access to those that have a confirmed need. Anything that can compromise the passwords risks compromising this goal. You need to consider what passwords you will accept, and mitigate against internal (insiders) and external (hackers, malware, social
engineering) threats.

Reducing or mitigating attack vectors reduces the probability of a compromise or breach…and continues to keep your and your client data safe. 

  • 521 publicly compromised websites including Linkedin, Facebook, Experian, MyHeritage, Sony, Pixlr, Snapchat, Xiaomi, Vodafone, Yahoo, Plex, Patreon, Kickstarter
  • 11,145,906,797 (11+ billion) publicly compromised accounts
  • 613,584,246 real world passwords leaked online
  • modern hardware can test billions of passwords a second
  • 90% of passwords can be cracked in less than six hours
  • ‘123456’ appears 24 million times in the password breaches
  • over 50% of people didn’t change their password after a breach was uncovered
  • 59% still use the same password everywhere

Our services

We offer a comprehensive review of your IT Security
policies against current recommended practices, or
will help you draft a policy that suits your needs.
We independently verify your systems are aligned to
your policies and can test your resilience to online and
offline attacks.


We can also work with you to create suitable cybersecurity training for your employees and IT staff.

The HOW?

Password Good Practice

  • passwords should be unique and long
  • allow passphrases as they are naturally long, simple to create, and easy to remember
  • don't accept weak or trivial passwords, or passwords found in breached password lists
  • blandit mauris ldon't allow password reuse across accounts or previously used passwordsectus 90% a pharetra nulla pellentesque at. Mauris placerat pretium felis
  • stop forcing frequent changes of good passwords but change them if you suspect they are compromised
  • use SSO if possible or use password managers if dealing with more than a few accounts

additionally:

Resist Online Attacks (Credential Stuffing)

  • implement rate limiting mechanisms
  • implement account lockouts

additionally:

Resist Offline Attacks (Cracking)

  • encrypt user and server hdds
  • never store passwords in cleartext or weakly encrypted
  • restrict, log, and monitor system and physical accesses •
  • perform a hash access and cracking audit on your existing passwords

The HOW?

Add more technical mitigations

  • ensure virus and malware protection is installed and running on endpoints
  • limit administrative accesses on endpointsnon lorem eros. Suspendisse blandit mauris lectus, a pharetra nulla pellentesque at. Mauris placerat pretium felis
  • keep OS and software patched and updated
  • don't allow access to unreputable sites or installation/use of untrusted software
  • don't transmit passwords in cleartext or weakly encrypted use 2FA/MFA if possible and definitely for privileged or sensitive accounts
  • use network technology to restrict access to internal networks

Invest in security education for your users

Keep users knowledgeable and vigilant. Developing a strong cybersecurity culture will go a long way in increasing the security posture of your organization.

  • IT security education when onboarding
  • Periodic and ongoing cyber security education
  • Security incident reporting

Implement or improve your processes

  • remove no longer needed accounts and accesses
  • periodic review and revalidations of accounts and accesses (especially privileged accounts)
  • monitor and review systems for unusual activity
  • ongoing periodic review of cybersecurity policies and strategies

Our clients

Findings

  • systems did not adhere to company policy on password length
  • systems accepted trivial and weak passwords
  • systems accepted passwords from known password breaches
  • password audit showed easily cracked and known breached passwords in use
  • no rate limiting nor account lockout for several systems
  • gaps in user security education and security incident reporting
  • policies, procedures, and processes not always known or followed

Corrective activities

  • audit of company password policies for good practices
  • audit of security policies on company IT applications and systems
  • update of system settings to align with company policies
  • cybersecurity training program for employees