An insightful infographic by the UK National Cyber Security Centre (NCSC) provides guidance for system owners responsible for determining password policy and examining, or even challenging, existing corporate password policies, and arguing for a more realistic approach.
Passwords are an easily-implemented, low-cost security measure, with obvious attractions for managers within enterprise systems. However, this proliferation of password use, and increasingly complex password requirements, places an unrealistic demand on most users.
Inevitably, users will devise their own coping mechanisms to cope with ‘password overload’. This includes writing down passwords, re-using the same password across different systems, or using simple and predictable password creation strategies. A study within a Scottish NHS trust found that 63% of its users admitted to re-using passwords.
How are passwords discovered?
Attackers use a variety of techniques to discover passwords. Many of these techniques are freely available and documented on the Internet, and use powerful, automated tools. Approaches to discovering passwords include:
- social engineering e.g. phishing; coercion
- manual password guessing, perhaps using personal information ‘cribs’ such as name, date of birth, or pet names
- intercepting a password as it is transmitted over a network
- ‘shoulder surfing’, observing someone typing in their password at their desk
- installing a keylogger to intercept passwords when they are entered into a device
- searching an enterprise’s IT infrastructure for electronically stored password information
- brute-force attacks; the automated guessing of large numbers of passwords until the correct one is found
- finding passwords which have been stored insecurely, such as handwritten on paper and hidden close to a device
- compromising databases containing large numbers of user passwords, then using this information to attack other systems where users have re-used these passwords.
How to improve your system security
1. Change all default passwords
- Change all default passwords before deployment.
- Carry out a regular check of system devices and software, specifically to look for unchanged default passwords.
- Prioritise essential infrastructure devices.
2. Help users cope with password overload
- Users have a whole suite of passwords to manage, not just yours.
- Only use passwords where they are really needed.
- Use technical solutions to reduce the burden on users.
- Allow users to securely record and store their passwords.
- Only ask users to change their passwords on indication or suspicion of compromise.
- Allow users to reset passwords easily, quickly and cheaply.
- Do not allow password sharing.
- Password management software can help users, but carries risks.
3. Understand the limitations of user-generated passwords
- Put technical defences in place so that simpler password policies can be used.
- Reinforce policies with good user training. Steer users away from choosing predictable passwords, and prohibit the most common ones by blacklisting.
- Tell users that work passwords protect important assets; they should never re-use passwords between work and home.
- Be aware of the limitations of password strength meters.
4. Understand the limitations of machine-generated passwords
- Choose a scheme that produces passwords that are easier to remember.
- Offer a choice of passwords, so users can select one they find memorable.
- As with user-generated passwords, tell users that work passwords protect important assets; they should never re-use passwords between work and home.
5. Prioritise administrator and remote user accounts
- Give administrators, remote users and mobile devices extra protection.
- Administrators must use different passwords for their administrative and non-administrative accounts.
- Do not routinely grant administrator privileges to standard users.
- Consider implementing two factor authentication for all remote accounts.
- Make sure that absolutely no default administrator passwords are used.
6. Use account lockout and protective monitoring
- Account lockout and ‘throttling’ are effective methods of defending brute-force attacks.
- Allow users around 10 login attempts before locking out accounts.
- Password blacklisting works well in combination with lockout or throttling.
- Protective monitoring is also a powerful defence against brute-force attacks, and offers a good alternative to account lockout or throttling.
- When outsourcing, contractual agreements should stipulate how user credentials are protected.
7. Don’t store passwords as plain text
- Never store passwords as plain text.
- Produce hashed representations of passwords using a unique salt for each account.
- Store passwords in a hashed format, produced using a cryptographic function capable of multiple iterations (such as SHA 256).
- Ensure you protect files containing encrypted or hashed passwords from unauthorised system or user access.
- When implementing password solutions use public standards, such as PBKDF2, which use multiple iterated hashes.
