Passwords

What Is It?

A password is a string of characters supplied with other pieces of information, such as a username for example, to authenticate an entity to another entity. Passwords are kept secret and can be used by end users to authenticate into their devices or organisations systems as well as by services to authenticate to other services and even devices to authenticate to corporate management systems. A password typically is part of the authentication process which may involve a second or more factors of authentication, such as a hardware token or physical key device for example.

Why Assess It?

There are many reasons to conduct a password security assessment, five of which are below.

Ensure Compliance

Your organisation has a password policy and technical enforcement but by conducting a password security assessment you can validate if users are complying with the policies whilst selecting weak passwords, sharing the same password between their high and low privileged accounts or simply not changing a commonly set password upon account creation as some examples.

Identify Procedural Issues

Passwords are managed secrets, meaning that how they are generated is important to your organisations security posture. Other parts of the password lifecycle are important, such as how they are reset when a user forgets it for example. A password security assessment allows you to see the effects and understand the causes of any password handling security vulnerabilities.

Validate Cryptography

Passwords need to be stored securely. In the event of a compromise a threat actor may extract these passwords in their protected form and launch attacks on them away from your network. A password security assessment confirms the security of your password storage and provides advice if it can be improved.

Manage Service Account Risk

Passwords are often seen as solely used by users, but this is not the case. Services running such as web applications and even antivirus for example requires passwords on your infrastructure. You can obtain insight into the security of these passwords, especially as they are often excluded from complexity requirements, by conducting a password security assessment.

Low Risk and Cost Efficient

a password security assessment is conducted without the need for an active brute force attack so there is no risk of locking users out of their account and affecting your operations. It is also far more efficient to work through an entire user base during a dedicated password security assessment than it would be to enumerate the user list first and then attack each one individually, which translates into not only improved assurance but a cost saving for your organisation.

The Agility Cyber Approach

Like all our engagements, we want you to get the most out of your password security assessment and we do this by:

Review Usage

Whilst password complexity is important, your security posture is made up of more than this. We look at additional details that determine risk such as the account lockout configured, whether accounts have strong attribution and the predictability of usernames amongst other checks.

Obtained Safely

Your organisations passwords are sensitive and are typically stored on critical parts of your network. This means you cannot afford down time or lose the integrity of this crucial data source. We have tried and tested ways to obtain the details we need around passwords without putting your organisations operations at risk.

Thorough Analysis

We do not believe a password security assessment should just list weak passwords found. We ensure that we provide real insight into our findings, using additional statistical analysis and factoring in any other mitigations your organisation may have, amongst other further analytic techniques.

Practical Advice

Stating the presence of weak passwords is not helpful to your organisation. Our approach is to show you where the weaknesses reside and provide actionable recommendations on how to improve your security posture, without increasing the administrative burden for your users or internal teams.

Securely Handled

Passwords are part of how your organisation provides authentication and they should be treated as extremely sensitive. We do not upload any of your password data to third party systems and always handle them as if they are our passwords.

Benefits of Partnering with Agility Cyber

Mutually Invested

Our experts work with you, not against you. There are no egotistical celebrations when a serious issue is discovered, just rapid full disclosure with pragmatic suggestions for effective remediation followed by ongoing support.

Clarity and Simplicity

We always provide clarity, believe in simplicity and value your time. An example is rather than waiting until the engagement starts, we will conduct open source intelligence gathering activities before the scoping meeting to help us understand your organisations position and risk posture thus enabling us to ask better questions, securing you higher value and saving you time.

Full Consultancy

Our team, based in the UK, is technically exceptional but we pair that with business sense to discover, triage and help you remediate the full range of security issues.

Impartiality

We are impartial, we do not sell you products or the latest buzzword laden trending solution.

Outstanding Service

We have an industry leading turnaround, agility is in our name after all. Proposals are shared with you within 24 hours of the scoping meeting. Accurate and complete daily debriefs are given during every engagement. The report is shared within 5 working days at the latest.

Scroll to Top