With over 80% of all hacking breaches due to password-related issues, the National Cyber Security Centre (NCSC) has introduced new password recommendations to assist the combat of this increase in data breaches.
The guidance, also referenced in the Public Service Network’s (PSN) Code of Connection, includes some useful tips, all of which you will find here in an abbreviated version along with our ideas, based on our extensive operational experience.
Not changing default passwords is one of the most common password mistakes that organisations make.
Particular attention should be given to essential infrastructure devices. That includes printers, telephones, video conferencing systems, CCTV systems, wireless access points, etc. Double-check that any default passwords are not being used to access devices.
IT departments do not necessarily know when breaches occur, unless they have a good SEIM/MDR in place.
All too frequently they find out by accident or when a list is actually made public.
Having a password expiry policy in place limits the time of the exposure an attacker will have. All administrative/privileged accounts should still follow a frequent password expiration policy.
For average end users, some claim that you can forgo frequent expiration and strengthen your policy using multi-factor authentication (MFA), passphrases, and by banning dictionary words. All these are good recommendations, however, we would always recommend having a password change policy for them and prevent them from using previously used passwords.
Long term studies of user-generated passwords have shown that they reinforce extremely insecure behaviours that attackers will abuse during their attacks. Insecure behaviours include using common predictable passwords and re-using the same password over multiple systems. This also includes sys admins, developers and directors.
NCSC believe that the use of long and complex passwords only gives a slight security benefit, while the user burden is high. They state that the use of technology to defend against automated guessing attacks is more effective and recommend using account lockout, throttling, protective monitoring and blacklisting common passwords.
An attacker can use a host of dictionaries which include, but is not restricted to, foreign words, phonetic patterns, and lists from data breaches such as Rock-You, LinkedIn, Yahoo, and Adobe, to mention just a few.
With the right procedures in place, any dictionary or custom list can be blocked from being used. Microsoft Azure admins can include breached passwords in their exclusion list and password policy.
Shorter passwords are more prone to brute-force attacks than longer passwords – it’s just basic mathematics!
Passphrases are good, a combination of words that are meaningless together are even better, are far easier to remember and of course much harder to crack. Also adding special characters and upper-case letters and numbers make it harder still.
The of use multi-factor authentication anywhere you can, especially for privileged users or when accessing critical systems, is a must.
Communicating the risks associated with poor practices such as using weak passwords, reusing them across different sites and sharing.
This can also include security awareness training on social engineering, phishing and key logging, which is something we can help train and educate your team on.
If you use machine-generated passwords make sure to choose a system that produces easy to remember passwords and offer a choice of passwords or stores them in an encrypted database.
NCSC say that administrators must use different passwords for their administrative and non-administrative accounts. Standard users should never be routinely granted administrator privileges.
Administrator accounts, with highly privileged access to systems and services, need to be especially protected since they are very attractive to hackers.
Remote users who require remote login access should be required to provide extra evidence, such as a token or, as aforementioned, be part of a multi-factor authentication policy.
Account lockout (NCSC recommends 10 attempts), throttling, and protective monitoring are powerful defences against brute-force attacks and encouraged by the NCSC. Protective monitoring can be used to relax the burden of locking out users. Blocking common passwords works well in combination with lockout and throttling.
Use account lockout, but make sure to enable self-service passwords resets.
Never, never, never store passwords as plain text.
Passwords should be hashed and uniquely salted (double hashing – helps to ‘preserve’ the password), and never stored as plain text.
If you have any questions, or would like to chat about your password policies, please get in touch.