Monday, 16 May 2022

The New Password Rules: 2022 Update

It’s a while since the Grant McGregor team shared information about password best practice – and a lot has changed. Find out more here:

It’s a while since the Grant McGregor team shared information about password best practice – and a lot has changed. Not least in terms of the new guidance in the UK Government’s Cyber Essentials scheme, but also in terms of the technology solutions now available to strengthen security.

Earlier this month, news emerged about the hijacking of 130 NHS email accounts. These email accounts were then used to launch a credential harvesting phishing operation. The majority of emails were fake new document notifications that contained malicious links to credential harvesting sites, which sought information from Microsoft 365 users.

It’s thought that hackers planned to subsequently use those credentials to launch further attacks with more dangerous results. Although the NHS has now acted to prevent the hijacked accounts to be used to launch phishing attacks, the announcement(1) does highlight the dangers of poor password security – and how poorly protected email accounts can be exploited.

What can companies do to improve password security?

Good password practice is the key to prevent any user accounts being compromised. But what does good practice look like in 2022? Advice around password security has changed over time, so it is worth regularly reviewing every now and then so that you can to make sure you are following the most up-to-date advice.

This is because, over time, attackers will change the way they target and attack their victims. Further, as technology advances there emerges new tools and methods of protecting your devices and user accounts.

It is for these reasons that the UK’s National Cyber Security Centre (NCSC) has recently updated its guidance about passwords as part of its overhaul of the Cyber Essentials scheme.

The New Password Rules: 2022 Update

The Cyber Essentials technical controls are used to manage the quality of passwords. The latest advice requires one of the following approaches:

  • Using multi-factor authentication in conjunction with a password of at least 8 characters, with no maximum length restrictions.
  • A minimum password length of at least 12 characters, with no maximum length restrictions.
  • A minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list.

The new advice under the Cyber Essentials scheme also requires additional consideration to made to protect against brute-force password-guessing attacks.

It now requires one of the following protection scenarios to be in place:

Furthermore, there is new guidance about device locking. It requires either biometrics or a password or pin length of 6 characters to be in place to unlock devices.
For details about the other changes in the latest update to the Cyber Essentials scheme, please contact our team on 0808 164 4142.

Password best practice in 2022

Of course, the guidance given under the Cyber Essentials scheme specifies the minimum requirements. Organisations should consider implementing more than one of the recommended approaches in order to further strengthen their cyber security posture.

This is especially true for administrator accounts and accounts with high privileges. It is highly recommended that you use the highest possible security on these accounts, including multi-factor authentication and strong passwords.

If you would like to know more about how to implement multi-factor authentication and what your options are when doing so, you can read our recent blog on the topic

We would also suggest that you implement all three options suggested under the new guidance for protecting against brute-force password-guessing attacks.

Password security: looking to the future

While the NCSC updated its advice in January of this year, there may be even bigger changes to password best practice on the way. This month, three of the world’s biggest technology companies – Apple, Google and Microsoft – released a joint announcement(2) about how they plan to push forward with the wider availability of passwordless logins in a major way.

The announcement centres around FIDO authentication. FIDO already facilitates passwordless sign-in across some websites and apps, but the technology companies now want the process to be developed to create a more secure end-to-end passwordless option. The idea is for people to be able to login to apps and website simply by unlocking their phone via whatever method they normally employ, like a fingerprint reader for example, or PIN.

Why does this matter to me, you might be thinking? And it’s true that although this kind of passwordless login might be suitable for the apps and websites that users want to access on a personal basis, this type of access won’t be suitable for meeting corporate security standards. Plus, the changes aren’t likely to happen overnight – it will require effort from site and app developers as well as the big three tech firms to implement the system.

However, the development should stand as a warning about the direction of travel and the ambitions of the major technology players when it comes to passwords and access management. Further, organisations will need to brace themselves for the changing user expectations. When this type of streamlined access solution becomes the expected norm for consumer apps and websites, it won’t be too long before users expect their work IT environments to work in a similar way.

In the meantime, review the new guidance from the NCSC that we’ve set out above and make sure you comply. And, if you’d like any information about how to implement the new password guidance offered by the NCSC, please reach out to our team on 0808 164 4142 or book a call below:

Book a 15-minute chat  >>>


What next?

For more cyber security tips, please browse our blog.

You’ll find great tips, including: