Tips from URM – Password management – What is best practice?
One of the long-held beliefs underpinning many a password policy is that forcing a regular password
change is a good thing. After all, by changing our passwords on a regular basis we might be able to
stop an attacker taking advantage of a password they may have discovered.
However, by forcing users to change their passwords, organisations are unwittingly increasing the
probability of poorly constructed, weak passwords being used.
Many organisations require their users to change their passwords on a regular basis e.g. every 30-60 days, meaning that users may need
to create a new password twelve times per year. When coupled with the advice that passwords should be different for each system accessed,
this can quickly become impractical and overly burdensome.
We typically ask users to make their passwords more complex, made up of random strings of characters, including numbers and special
characters such as $, £, &, % making them even more difficult to remember.
What’s the result of frequently changing, complex passwords? You guessed it…..users will either write their passwords down or, more likely,
ignore some of the rules. In order to remember passwords, users will make them as simple and short as possible or very similar to passwords
previously used. These weaknesses can be exploited by an attacker. In 2015, the National Cyber Security Centre (NCSC) published some new
advice for system owners regarding the use of passwords, including:
Don’t use complexity requirements
Don’t impose artificial capping on password length
Avoid passwords that are too short
Don’t change passwords unless it is suspected that the password has been compromised
Provide account usage information to the user so that they can identify and report suspected breaches.
So, what is URM’s advice? Our first recommendation is to reduce the reliance on the use of passwords. Organisations should consider using
technology solutions wherever possible. For example, the use of single sign-on techniques reduces the number of passwords that users are
required to remember. The use of multi-factor authentication, including the use of biometrics and hardware tokens, also reduces reliance on
passwords. Organisations should also consider allowing users to utilise password managers.
In addition, organisations should educate users so that they understand the risks associated with passwords that are easy to guess, too short or
too similar to previous passwords. This advice should also be extended to include best practice information security on choosing an effective yet
easy to remember password. Implementing password blacklists will also help users to avoid weak and poorly constructed passwords.
WANT TO LEARN MORE?
If you would like to explore how URM’s consultancy and training services can benefit your organisation,
we offer a ‘no obligation’ discussion with a senior member of our consultancy team. Please let us know
the specific challenge you are facing within our areas of expertise e.g. information security (ISO 27001,
PCI DSS), data protection (GDPR, DPA 2018), business continuity (ISO 22301) and risk management so
that we can arrange a discussion.