The IT sector doesn’t have anything to worry about when it comes to password management. Or do they?

Read on to find out how IT support companies and MSPs can help their organisations develop robust and manageable password policies.


The below graphic represents the time to brute force a password using current technological capabilities.

So passwords should really be in the top two tiers to be effectively secure.


An ongoing issue is that the more complex the password the more difficult it is to remember - and with the general lack of uptake around password managers the NCSC guidance continues to encourage staff to use three random words as a password instead.


To find out more about passwords go to Guidance | Eastern CRC (ecrcentre.co.uk).


So how can IT departments help their organisations?

Tip 1: Reduce your organisation's reliance on passwords

Only use passwords where they are needed and appropriate. Consider alternatives to passwords such as Single Sign On, hardware tokens and biometric solutions. Use MFA where possible for all important accounts and internet facing systems.


Tip 2: Implement technical solutions

Use account lockout or throttling to defend against brute force attacks. If using lockout, allow users between 5 and 10 login attempts before locking out accounts. Consider using security monitoring to defend against brute force attacks. Password blacklisting prevents common, guessable passwords being used.


Tip 3: Protect all passwords

Ensure that all corporate web apps requiring authentication use HTTPS. Protect any access management systems you manage. Choose services and products that protect passwords using multiple iterations of a salted cryptographic hash function. Protect access to user databases. Prioritise privileged and vulnerable accounts such as administrators, cloud accounts and remote users. Change all default passwords.


Tip 4: Help users cope with password overload.

Users have a whole suite of passwords to manage, not just yours. Allow users to securely store their passwords. Only ask users to change their passwords on indication or suspicion of compromise. Use delegation tools instead of password sharing. Where there's a pressing business requirement to share passwords, use additional controls to provide the required oversight.


Tip 5: Help users to generate better passwords.

Be aware of the pros and cons of different password generation methods. If password managers are used, encourage the use of the built-in password generator. Complexity requirements provide no defence against common attacks and should not be used. Prevent users setting passwords that are too short. Don't impose artificial capping on password length.


Tip 6: Use training to support key messages.

Emphasise the risks of re-using passwords across work and home accounts. Help users to choose passwords that are difficult to guess. Help users to prioritise their high value accounts. Consider making your training applicable to their personal lives.


To find out more go to Password policy: updating your approach - NCSC.GOV.UK


Reporting Cyber Crime

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).


Further guidance & support

The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the aim of increasing cyber resilience of SMEs within the East of England.


You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.


We also provide free guidance on our website and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.

Policing led - business focussed

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.