Deploying a password strengthening tool and supporting resource for a FTSE 250 Asset Manager

Following a “penetration test” (in which a company hires ethical hackers to attempt to break through its defences) our client had established that hundreds of its users were able to enter its systems by using “password123” as their password. The attack also identified that there were hundreds of thousands of failed login attempts registered in the same day.

The issue had arisen because of two factors:

  1. The help desk process for users who had forgotten their password was to change it to “password123” and;
  2. Security settings had not been updated to require users to then change that password the first time that they logged on with it.

Working with our client, we deployed a password strengthening tool which allowed the organisation to align the password settings with security policy requirements. This forced users to have a password which met accepted complexity standards.

However, the mandatory complexity of the passwords meant that the IT function was resistant to the change as it was more likely that users would get their passwords wrong and need to call the help-desk.

To help alleviate this pressure, we provided backfill-resources to the help-desk and sent clear user communications on how to work more effectively with passwords so as not to experience frustration while maintaining security.

To further embed good password habits, we followed this up with a tailored user training effort to show how easy it is to break weak passwords using password crackers and social engineering attacks.