Training

Password advice

by Mark Rowe

Password Guidance: Simplifying Your Approach’ is the title of a dozen-page document by the official UK bodies CESG and CPNI. They advocate what they term a new approach for system owners responsible for determining password policy.

The authorities say that the guidance is the result of working with industry, academia and other government departments. They point to a recent survey that UK citizens each have an average of 22 online passwords, far more than most people can remember. The Password Guidance addresses the inadequacies of existing approaches to passwords in creating effective whole-system security, and outlines what can be done to help organisations create password policies that work for both the organisation and its users.

Ciaran Martin, Director General for Government and Industry Cyber Security, said: “By simplifying your organisations approach to passwords, you can reduce the workload on users, lessen the support burden on IT departments, and combat the false sense of security that unnecessarily complex passwords can encourage.”

To read online visit https://www.gov.uk/government/publications/password-policy-simplifying-your-approach.

In brief

Previous guidance – as CESG admits – has encouraged system owners to adopt the approach that complex passwords are ‘stronger’. However, complex passwords do not usually frustrate attackers, yet they make daily life much harder for users. They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk.

A proliferation of password use, and ever more complex password requirements, place an unrealistic demand on most of us. Factory-set default passwords being left unchanged is one the most common password mistakes; so, change all default passwords before deployment, and carry out a regular check of system devices and software, specifically to look for unchanged default passwords.

Regular password changing harms rather than improves security, so avoid placing the burden of what the authorities call ‘password overload’ on users. Advice includes only use of passwords where they are really needed; and only asking users to change their passwords on indication or suspicion of compromise, while not allowing sharing of passwords.

User-generated password schemes are more commonly used than machine-generated ones, as they’re cheaper and quicker. However, user-generated password schemes carry risks that machine-generated schemes do not. You should never re-use passwords between work and home. On the other hand, machine-generated passwords are not recommended. While a machine-generated password eliminates those passwords that would be simple for an attacker to guess, they require little effort from the user to create, and, depending on the generation scheme, can produce passwords that are fairly easy to remember, some machine generation schemes can produce passwords which are very difficult for people to remember. The advice is to offer a choice of passwords, so users can select one they find memorable. Examples of these include passphrases, 4 random dictionary words, and CVC-CVC-CVC style passwords (cvc = consonant-vowel-consonant).

As administrator accounts have highly privileged access to systems and services, compromise of these accounts is a threat to the wider system, and especially attractive to attackers. Prioritise such users; consider for instance two factor authentication for all remote accounts; and make sure that absolutely no default administrator passwords are used.

Passwords should never be stored as plain text, even if the information on the protected system is relatively unimportant. An attacker who gains access to a database containing plain text passwords already knows a user’s credentials for one system. They can use this information to attempt to access more important accounts.

For the full 13-page document click here.

Related News

  • Training

    IPSA member of IQ

    by msecadm4921

    The UK private security representative body International Professional Security Association (IPSA) has become a member of the exam awarding body Industry Qualifications…

  • Training

    Emergency Services Show

    by Mark Rowe

    Lessons learned from such major UK incidents as the Shoreham air tragedy, Bosley Mill fire and 2015 floods in Yorkshire will be…

  • Training

    Apprenticeship draft

    by Mark Rowe

    The public consultation on the draft assessment plan for the Fire, Emergency and Security Systems Technician Trailblazer Apprenticeship is now live. Developed…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing