> In the world of security assessments, penetration testing often stands out as "the service I need to have done" when businesses are desiring to seek out a third-party evaluation of their security posture. However, there can be a large gap between the reality of penetration testing versus what a company actually needs to have done.
Just like real fishing, criminals engaged in phishing dangle tempting bait in front of users in the hope that they can lure them into revealing their login credentials. If you have an email account, you’ve received at least one real looking email, seemingly from a financial institution like a bank or Paypal, asking you to provide your user name, password, or social security number.
A password isn't useless, of course, but the idea that a password can be the only security control used to prevent access to sensitive data, personal accounts, organization VPNs, and otherwise is a dangerous proposition.
To understand how to protect your data and accounts, it's helpful to know common ways in which your passwords and credentials could be stolen and used against you.