Read on to find out how IT support companies and MSPs can help their organisations develop robust and manageable password policies.
The below graphic represents the time to brute force a password using current technological capabilities.
So passwords should really be in the top two tiers to be effectively secure.
An ongoing issue is that the more complex the password the more difficult it is to remember - and with the general lack of uptake around password managers the NCSC guidance continues to encourage staff to use three random words as a password instead.
To find out more about passwords go to Guidance | Eastern CRC (ecrcentre.co.uk).
So how can IT departments help their organisations?
Only use passwords where they are needed and appropriate. Consider alternatives to passwords such as Single Sign On, hardware tokens and biometric solutions. Use MFA where possible for all important accounts and internet facing systems.
Use account lockout or throttling to defend against brute force attacks. If using lockout, allow users between 5 and 10 login attempts before locking out accounts. Consider using security monitoring to defend against brute force attacks. Password blacklisting prevents common, guessable passwords being used.
Tip 3: Protect all passwords
Ensure that all corporate web apps requiring authentication use HTTPS. Protect any access management systems you manage. Choose services and products that protect passwords using multiple iterations of a salted cryptographic hash function. Protect access to user databases. Prioritise privileged and vulnerable accounts such as administrators, cloud accounts and remote users. Change all default passwords.
Users have a whole suite of passwords to manage, not just yours. Allow users to securely store their passwords. Only ask users to change their passwords on indication or suspicion of compromise. Use delegation tools instead of password sharing. Where there's a pressing business requirement to share passwords, use additional controls to provide the required oversight.
Be aware of the pros and cons of different password generation methods. If password managers are used, encourage the use of the built-in password generator. Complexity requirements provide no defence against common attacks and should not be used. Prevent users setting passwords that are too short. Don't impose artificial capping on password length.
Emphasise the risks of re-using passwords across work and home accounts. Help users to choose passwords that are difficult to guess. Help users to prioritise their high value accounts. Consider making your training applicable to their personal lives.
To find out more go to Password policy: updating your approach - NCSC.GOV.UK
Reporting Cyber Crime
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).
Further guidance & support
The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the aim of increasing cyber resilience of SMEs within the East of England.
You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.
We also provide free guidance on our website and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.
Policing led - business focussed