Data Watch: The Fundamentals of Password Management

Next Article

2-Minute Clinic: Questions You're Afraid to Ask a GP

Article | Stuart Walsh, Chief Information Security Officer at Blue Stream Academy

A single weak or compromised password can have a massive effect on an organisation’s operations, potentially interfering with critical systems, disrupting networks and disclosing sensitive data.

Despite predicting the “death of the password” back in 2004, [1] in reality the opposite has happened; with the growing number of online services and the proliferation of mobile devices, password use is continuing to increase. [2] This, along with increasingly complex password requirements, places an unfair burden on users, many of whom will compromise on their password security by writing passwords down, re-using them or creating passwords that are easy to guess.

The National Cyber Security Centre (NCSC) now advocates for more use of technical defences and organisational processes, with passwords forming just one part of an organisation’s wider access controls and identity management approach. [3]

Three Random Words

Weak passwords can be cracked in seconds. The longer and more unusual your password is, the harder it is for a cybercriminal to crack.

A good way to make your password difficult to crack is by combining three random words to create a single password (for example, applenemobiro), as recommended by the NCSC.

Avoid commonly guessed passwords and creating passwords from significant dates, your favourite sports team or family and pet names. Most of these details can be found in your social media profile.

If you’re thinking of changing certain characters in your password (swapping the letter ‘o’ with a zero, for example), unfortunately cyber criminals know these tricks as well. So swapping characters won’t make your password much stronger, but it will be harder for you to remember.

By using a password that’s made up of three random words, you’re creating a password that will be strong enough to keep the criminals out, but easy enough for you to remember. [4]

Password Managers

We’re often advised that our passwords must be really strong and unique, especially for sensitive accounts such as banking, email, shopping and social media. However, if we did this, we would all have so many different passwords that it wouldn’t be possible to remember them all.

Password managers are designed to store all your passwords securely, so you can use passwords that are unique and complex without having to remember them.

Password managers can be used across different devices and platforms and can tell you if you have re-used a password or if one of your passwords has been exposed in a breach.

Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA), sometimes referred to as two-step verification (2SV) or two-factor authentication (2FA), helps to protect your account if a criminal gets hold of your password.

An example of MFA is when you enter your username and password to access an online payment service and the application then sends you a text message with a verification code.

Single Sign On (SSO) Systems

Single sign-on (SSO) systems provide employees with a single set of credentials that automatically give them access to all the applications and services they need to use. This means they don’t need to enter any other usernames or passwords when switching between their company’s apps and services.

Technical Solutions

Sometimes organisations are better served by implementing technical solutions, such as the ones described below.

Throttling or Account Lock-out

‘Throttling’ is the process of restricting the number of log-in attempts during a given period, with the time between each attempt progressively increasing. On the other hand, ‘account lockout’ restricts users to a specific number of attempts before their account is locked (this may or may not be within a specified period).

Throttling is usually preferred, because account lock-out can require organisations to provide ways for users to recover their account, leave employees without access to applications they need to use, and provide opportunities for Denial of Service (DoS) attacks.

Security Monitoring

Organisations can use technology that monitors security and alerts them to any unusual or malicious behaviour, such as:

• Log-in attempts that fail the second step of MFA.

• Brute-forcing account passwords, including password spraying.

• Log-in attempts from unexpected geographical areas.

• Reports of unexpected account lock-outs or other unusual account behaviour from users.

Password Deny Lists

A ‘password deny list’ is a list of passwords that will automatically be rejected. This prevents employees from using passwords that are common, easily guessed or previously breached.

Forced Password Changes

Many systems still force users to change their password at regular intervals. However, this is now generally considered to be bad practice because people will often only make a slight tweak or re-use one that they have utilised elsewhere.

Instead, you can counter the use of compromised passwords by:

• Putting in place an effective process for movers and leavers, provisioning and deprovisioning accounts accordingly.

• Automatically locking out inactive accounts.

• Monitoring log-ins for suspicious behaviour.

• Encouraging users to report when something is suspicious.

• Using MFA, which makes a compromised password less useful to an attacker.

Most importantly, if you know (or suspect) that a user’s password has been compromised, it is vital that they change it. [3]

Complexity Requirements

Forcing people to create passwords that reach a certain level of complexity is also now generally considered to be bad practice.

Attackers are familiar with the predictable strategies and patterns that people use, such as replacing the letter ‘i’ with the number ‘1’, or adding an exclamation mark at the end. The requirements also provide little defence against common attacks (such as phishing or coercion or accessing insecurely stored passwords).

That being said, it’s still good practice to:

• Specify a minimum password length.

• Avoid specifying a maximum length, if the system allows.

Shared Access

Organisations should avoid shared access (multiple users utilising a single account) whenever possible. As well as significantly increasing the likelihood of systems being compromised, sharing account details makes it practically impossible to verify who is using the system or establish accountability.

If there is no alternative to shared access and the service is essential to your organisation’s operations, you should frequently monitor and review the accounts to reduce any potential risk. Access should only be shared within the smallest possible group of known and trusted users; when a user no longer requires access, the password should be changed

This information is licensed under the Open Government Licence v3.0. To view this licence, visit www.nationalarchives.gov.uk/doc/open-government-licence. © National Cyber Security Centre 2022

As the Chief Information Security Officer (CISO) for Blue Stream Academy, Stuart provides an article for each issue of BSA Today to highlight how we strongly believe that promoting better information security practices improves the threat landscape for all organisations that work alongside us.

Disclaimer: The views and opinions expressed in this article are that of the author and are intended for informational purposes only; individuals should adhere to the password policies provided by their organisation.

1. Kotadia M. (2004). Gates Predicts Death of the Password. CNET, 25 February. www.cnet.com/news/privacy/gates-predicts-death-of-the-password (Last accessed June 2022)

2. Business Wire. (2020). Password Management Market: Growth, Trends & Forecasts to 2025 – ResearchAndMarkets.com (Press Release, 31 January). www. businesswire.com/news/home/20200131005242/en/Password-Management-Market-Growth-Trends-Forecasts-to-2025---ResearchAndMarkets.com (Last accessed June 2022)

3. National Cyber Security Centre. Password Administration for System Owners. Password Policy: Updating Your Approach. (no date). www.ncsc.gov.uk/ collection/passwords/updating-your-approach (Last accessed June 2022)

4. National Cyber Security Centre. Top Tips for Staying Secure Online: Three Random Words. (no date). www.ncsc.gov.uk/collection/top-tips-for-stayingsecure-online/three-random-words (Last accessed June 2022)