Monday, 5 March 2018

Best Practice Password Security

Passwords have an important role to play in any organisation’s cyber security – whether to protect user access to applications, data or email.

Passwords have an important role to play in any organisation’s cyber security – whether to protect user access to applications, data or email.

So what should organisations be doing to ensure that the passwords and password policies being used are up to scratch? 

For many an organisation today, the data it holds counts among its most valuable assets. Yet this data must be available on a real-time basis for many applications and staff members to use. Add to this the increasing sophistication of phishing scams sent to senior executives from apparently internal email addresses and we can clearly see the need for good password security.

So, what are the current best practices around password security?

What are the processes and rules that your organisation needs to put in place to ensure that data, applications, user accounts and email accounts are not compromised by poor password practices?

Choosing a Password

Helping users to understand what makes a good password has to be the starting point of any password strategy. Before you start implementing other policies you need to ensure the passwords are worth protecting in the first place.

The UK Government has launched new password advice on its cyber aware website. It warns against using passwords that are based on:

• Current partner’s name
• Child’s name
• Other family members’ names
• Pet’s name
• Place of birth
• Favourite holiday
• Something related to your favourite sports team

It suggests: “A good way to create a strong and memorable password is to use three random words. Numbers and symbols can still be used if needed, for example 3redhousemonkeys27!”.

This reflects the advice that was also published last year by the US Department of Commerce’s National Institute of Standards & Technology (NIST) . It suggested that organisations enforce longer password (suggesting up to 64 characters was desirable!).

New Password Rules

Here, a password generation tool is going to aid most users – it’s the one of best ways to create incredibly strong passwords. However, it has to be admitted that 64-character passwords aren’t practical for most user logins, unless used in conjunction perhaps with a password vault. And some of NIST’s other advice is equally surprising, albeit a little more practical.

Its recommendations included:

• Removing all password complexity rules
• Avoiding frequent mandatory password resets
• Forbidding commonly used passwords
• Limiting the number of password attempts
• Swapping knowledge-based authentication for two-factor authentication

While “removing all password complexity rules” and “avoiding frequent mandatory resets” might seem contrary to existing advice, NIST argue that anything that makes it difficult for users to remember their passwords is counterproductive: leading to bad practice such as writing passwords down or oversimplifying them.

User Education

Like so much in cybersecurity, good password practices must incorporate policies around user behaviour and user education. Don’t assume your users know what is good practice or not. Provide them with appropriate cyber security awareness training in which password management is covered as part of a broad range of topics. To some it seems like common sense but this is often not as ‘common’ as everyone imagines!

Last month, we reported about the Hawaii emergency control room staff member caught on camera posing with a password on a post-it note stuck to the front of his computer monitor – thereby highlighting a few salutary lessons for us all.

The first rule of password security is that they shouldn’t be written down on paper - and certainly not stuck to the desk, computer or anywhere public.

And be very careful what you share on social media!

It is important that organisations put rules in place and ensure that all users understand and follow this advice.

Two Factor Authentication

Multi-factor authentication is another important element of best practice. Last year we highlighted the shift towards bio-metric identifiers and suggested this transition should be a question of “and” not “or”.

Ideally, you should require at least two out of three different identifiers: something you know, something you are, and something you have.

The password is, of course, the most common iteration of “something you know”. The “something you are” refers to a bio-metric element whilst “something you have” is usually a device (here NIST prefers SMS over email, because of the inherent vulnerabilities of email).

Encryption and Hashing

And what of your organisational responsibilities when it comes to securing passwords?

GDPR is placing greater pressure on organisations to be able to demonstrate how they protect the personal data they hold on staff, customers and other individuals. And not just from technological measures to protect data but appropriate organisational measures too!

Strong password policies have an important role to play in this. Perhaps the best way an organisation can demonstrate this is to give users access to an approved password generation tool and password manager or vault and to implement encryption and hashing of user passwords.

If you can demonstrate that you have taken steps to securely encrypt user passwords, not only can you prove to the regulator that you are taking your data security responsibilities seriously but, if a password database breach should happen in your organization, it should have a much more limited impact.


For more information about password best practice please contact the Grant McGregor team or call us on 0131 603 7910.

We can also help with some of the other security topics touch on in this article, such as:

GDPR Preparation & Organisational Measures

Cyber Essentials / Plus Certification

Cyber Security Awareness Training

Two Factor/Multi Factor Authentication

Help with IT Security Services