May I have your password Pleas3?!

Ian Jackson

Managing Director


Studies have shown that you’re 56% more likely to divulge your password if given reasonable cause to do so. If the question is phrased well, this statistic jumps a further five points.

This was demonstrated during a recent ethical hacking exercise undertaken by UK-tec, when the target of our ‘attack’ willingly disclosed their password to help fix a technical issue we claimed to be having.


Please note all names, times and information have been changed to protect their identity.

It was late Friday, the clock was edging ever closer towards 17:30 and, within minutes of our bogus request, a password duly pinged into the relevant inbox: hC`{](,Hs3\kG=w"pn6 and with it the added bonus of granting full administrative rights to a not inconsiderable customer-base.

Somebody somewhere had gone to a lot of trouble to implement a strong password policy, but John (not his real name) had clearly missed the ‘Information Security Briefing’ reminding employees that “no user will ever be legitimately asked for their password by anyone at any time and that any such request should be refused.” Either that or John did not feel overly accountable in fear of the pending encroachment on his weekend despite his organisation’s unambiguous IT Security Policy.


Proof if proof be needed that security cannot be achieved by technical means alone and that so much still depends on employees, agents, contractors or other parties and the care each exercise in pursuit of their day-to-day duties. Or to put it another way: deficiencies in processes and the behaviour of people still remain the weakest link in an organisation’s security posture.

Enter Compliance and the need to create a ‘security culture’. See my previous blog IT compliance; why bother! www.uk-tec.com/post/it-compliance-why-bother.

At UK-tec we have been quietly debunking the complexities of compliance. Becoming a partner of standing to us means taking security seriously and recognising our responsibility to protect the information we hold and process though the implementation of controls appropriate to the sensitivity of the information involved.

Each and every one of us is accountable. Through collaboration with our technical team we are on a journey to minimise our exposure to security breaches, whilst allowing our team to fulfil their duties within the framework of least privilege access but without inhibiting the efficiency of our business. It’s a transparent model that does not just focus on the thin veneer of evidence needed to satisfy even the most intrusive of auditors. Instead, we seek to make compliance intrinsic to everything we do.

The mantra “as long as we do what we say we do” will not meet the compliance demands of the future. Instead, being frank about the reasons for compliance issues means they can be tackled head-on, and our security posture can be continually improved.

Showing the John’s of this world ‘the error of their off-guarded ways’ is what we all need to be compliant about. Not complaining about. Whether through best-practice, improved processes or better training.

In the meantime, rest assured, UK-tec will never share our passwords no matter how politely would-be attackers may ask.

36 views

Recent Posts

See All