How to plan a password security project

How to plan a password security project

Sponsored Weak password security is a torment that afflicts networks in so many ways. On the user side is the certainty of hopeless and reused passwords, while on the attacker’s side are a gamut of techniques for targeting them such as phishing, credential stuffing, brute forcing, and spotting backdoors to hidden applications such as RDP, SSH, and shadow IT.


Formulating a credible plan to cope with all this is a big job. Overhauling an organisation’s password security design requires investment and that implies a properly thought out rationale to present to budget holders. How should security pros go about creating such a thing?


The first job is to explain the threats and the risk of doing nothing. Fortunately, there’s no shortage of evidence, starting with the effect weak password management is having on other organisations. The steady increase in the number and diversity of attacks is hard to miss. According to Verizon’s industry-standard 2020 Data Breach Investigations Report (DBIR), of the 3,950 confirmed data breaches it analysed from the previous year over 80 per cent involved stolen or brute-forced credentials.


For cautionary tales, take your pick. In early 2020, Marriot International confirmed hackers had used the logins of two franchise employees to pilfer the account data of up to 5.2 million guests, an incident that shows how even small compromises can lead to outsize problems. Then there’s the whole issue of the numerous companies caught out by the SamSam ransomware which specialises in brute-forcing Microsoft RDP passwords using simple tools such as nlbrute. According to Sophos, that netted the gang behin ..