WIREDGOV

Guest blog by John Ward, Digital Marketing Manager at Specops Software.

Quick fact… the computer password turned 60 years old last year, yet today over 80% of hacking-related data breaches are due to compromised passwords.

You would think that after 60 years organisations would have mastered password security, but an alarming number are still not taking password security seriously, including those in the UK technology industry.

Bill Gates did say the password is dead back in 2004 and yes, a passwordless future is certain, but in the corporate world, it is still a long way off. Passwords will likely always have a part to play in some way, shape, or form, especially with legacy systems.

Today’s UK tech industry has now exceeded a $1tn  (£835.9bn) valuation and is a high-risk target for cyber attack. Research in 2021 found that IT and technology companies in the UK have experienced an average of 44 cyber attacks in the last 12 months – roughly one every 8 days.

Because strong passwords are your first line of defence against cyber attacks, allowing just one weak or compromised password in your corporate network is essentially leaving the door open for hackers. Once the hacker has executed a brute-force password attack they can gain access to your network within seconds and then move throughout, escalating privileges and accessing PII or intellectual property.

The good news is that hacking-related breaches like these can easily be prevented if password security is taken seriously and prioritised as part of an organisation’s cyber security strategy.

How is this done? The advisable first step is to perform a password audit. An audit is a check for compromised passwords and other password-related vulnerabilities that may include dormant accounts or accounts with default, duplicate or blank passwords. Don’t be surprised if you find anywhere between 20%-80% of accounts with compromised passwords, as shocking as that may sound, it’s not uncommon.

Once you’ve worked out the size of the problem at hand you can then go about alerting your users that need to change their passwords and the reasons why.

Tip: Longer passwords = harder to crack. Focus on length over complexity and three random words (memorable but not easy to guess) as mentioned in the NCSC’s #thinkrandom campaign is a good place to start.

Now that part of the process is done and dusted, you’ll need to ensure that history doesn’t repeat itself. User awareness training solves only part of the problem, and the requirement for auditing and requesting password changes for compromised accounts will be a never-ending cycle unless you put technical controls in place with a password policy tool.

Out-of-the-box functionality with Microsoft’s password policy tools have limitations and are known to allow compromised passwords.

Third-party alternatives (such as Specops Password Policy) make the creation of compliant password policies a breeze, help users create stronger passwords they can remember, protect against compromised passwords being used in live attacks happening right, and at the same time deliver informative end-user messaging during password changes. They pay for themselves in terms of security and efficiencies gained.

Don’t get me wrong, if you’re a small business you’ll likely get by with running a password audit and manually requesting password changes – but adopting that process on the larger business exceeding 100 employees is simply inefficient, insecure and has plenty of room for costly errors.

Looking to get started at securing your first line of defence against cyber attacks? To take the headache out of getting your password security in check, Specops developed an incredible software tool that will easily identify all the password vulnerabilities we’ve discussed, including the ability to check for over 1 billion compromised passwords. Results are delivered in an interactive dashboard or summarised in an exportable PDF, completely FREE, no strings attached.

If you’re interested in this free software tool or would like to pass it on to a colleague, you can download Specops Password Auditor free here.