How to Improve Your Password Management

|
|
PUBLISHED on
27
July
2022

One of the long-held beliefs underpinning many a password policy is that forcing a regular password change is a good thing.  After all, by changing our passwords on a regular basis we might be able to stop an attacker taking advantage of a password they may have discovered. However, by forcing users to change their passwords, organisations are unwittingly increasing the probability of poorly constructed, weak passwords being used.

Many organisations require their users to change their passwords on a regular basis e.g., every 30-60 days, meaning that users may need to create a new password 12 times per year.  When coupled with the advice that passwords should be different for each system accessed, this can quickly become impractical and overly burdensome.

Typically, users are asked to make their passwords more complex, made up of random strings of characters, including numbers and special characters such as $, £, &, % making them even more difficult to remember.

What’s the result of frequently changing, complex passwords?  You guessed it... users will either write their passwords down or, more likely, ignore some of the rules.  In order to remember passwords, users will make them as simple and short as possible or very similar to passwords previously used.  These weaknesses can be exploited by an attacker.  The National Cyber Security Centre (NCSC) offers comprehensive guidance relating to passwords, here is a selection of its suggestions:

Educate your staff:

  • Emphasise the risks associated with re-using passwords across home and work accounts
  • Help users to choose passwords that are difficult to guess
  • Provide guidance on the prioritisation of high-value accounts
  • Make your training applicable to users’ work and personal lives.

Reduce your reliance on passwords:

  • Consider alternative means such as single sign-on (SSO), hardware or biometric solutions
  • Use 2 factor authentication (2FA) or multi-factor authentication (MFA) for important accounts and Internet-facing systems.

Implement technical solutions:

  • Account lockout after successive (5-10) failed attempts to protect against brute force attacks
  • Introduce ‘password blacklisting’ to prevent the use of common passwords
  • Use application programming interface (API) throttling to defend against brute force attacks

If you must use a password:

  • In addition the special characters referenced above, consider the use of 3 random words (summerbreezelight (or £Summer#Breeze!Light)
  • Use built in password generators when using password managers
  • Avoid complexity requirements and passwords that are too short
  • Don’t include character ‘capping’ on password lengths.

So, what is URM’s advice?  Our first recommendation is to reduce the reliance on the use of passwords.  Secondly, consider the use of technological solutions wherever possible (SSO, 2FA, MFA).  Biometrics and hardware tokens also reduce reliance on passwords, as can the use of password managers.  

Regular education of your staff to ensure they understand the risks associated with easy to guess passwords, passwords that are too short or similar to ones previously used.  Finally, password blacklists that prohibit the use of commonly used words (Password1, QWERTYUIOP) etc.) will all help to mitigate the threat associated with password usage.  Finally, by limiting the number of incorrect entries before imposing a system lockout/timeout, system administrators may be alerted to repeated unsuccessful attempts to access IT systems.

Do you need any help with ISO 27001 certificate?

URM can help you achieve ISO 27001 certification
Thumbnail of the Blog Illustration
Information Security
Published on
27/7/2022
How do You Avoid Information Security Breaches?

With the news often including stories regarding high-profile information security breaches, many of us find ourselves asking how we can avoid it.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
5/11/2024
Developing an ISO 27001 Information Security Policy

URM’s blog discusses how to develop and implement an information security policy that fully conforms to both your organisation’s and ISO 27001 requirements.

Read more
Thumbnail of the Blog Illustration
Other Standards
Published on
1/3/2024
ISO and IAF add Climate Change Considerations to 31 Management Systems Standards

On 22 February 2024 ISO and IAF released a joint statement relating to an amendment to a total of 31 existing Annex SL management system standards.

Read more
URM's diligence during these audits has resulted in the business as a whole pulling together to collectively ensure that we up to par with the requirements. While our working relationship with URM’s consultant is fantastic, we are held to account for every bullet point of every requirement on every audit, which is precisely what we expect. The consultant’s efforts in ensuring that our PCI compliance is audited correctly is highly appreciated, as it gives the company an accreditation that we can be proud of and that we can show off to existing and prospective customers as proof of our security posture. A huge thank you to URM for providing such a valuable service.
Open Banking Platform
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.