Password Policy The NCSC is working to reduce organisations' reliance on users having to recall large numbers of complex passwords. The advice below advocates a greater reliance on Advice for system owners technical defences and organisational processes, with passwords forming just one part of your wider access control and identity management approach. How passwords are discovered... ...and how to improve system security. Interception Brute force Passwords can ***** Reduce your Implement only do so much. reliance on technical Passwords can be Automated guessing of passwords solutions intercepted as they travel billions of passwords Even when implemented correctly, over a network. until the correct one is passwords are limited in helping 1. Only use passwords where they 1. Throttling or account lockout can found. prevent unauthorised access. If an are needed and appropriate. defend against brute force attacks. attacker discovers or guesses the 2. Consider alternatives to 2. For lockout, allow between 5-10 Key logging password, they are able to passwords such as SSO, login attempts before locking out. impersonate a user. hardware tokens and biometric 3. Consider using security Installing a keylogger to solutions. monitoring to defend against brute intercept passwords when 3. Use MFA for all important force attacks. they are entered. accounts and internet-facing 4. Password blacklisting prevents systems. common passwords being used. Manual guessing Protect all Help users passwords generate better Details such as dates of passwords birth or pet names can be 1. Ensure corporate web apps requiring used to guess passwords. authentication use HTTPS. 1. Be aware of different password 2. Protect any access management systems generation methods. Shoulder surfing ***** Stealing you manage. 2. Use built-in password generators when hashes 3. Chose services and products that protect using password managers. Observing someone Stealing passwords using standards such as SHA-256. 3. Don't use complexity requirements. typing in their password. passwords Stolen hash files can be 4. Protect access to user databases. 4. Avoid the creation of passwords that are broken to recover the 5. Prioritise administrators, cloud accounts and too short. Phishing & Insecurely stored passwords original passwords. remote users. 5. Don't impose artificial capping on coercion can be stolen, such as ones password length. written on sticky notes and # Key messages Using social engineering kept near (or on) devices. for staff Help users cope techniques to trick people Password training with password into revealing passwords. Data breaches spraying overload 1. Emphasise the risks of re-using Using the passwords Trying a small number of passwords across work and home accounts. 1. Allow users to securely store their leaked from data commonly-used passwords 2. Help users to choose passwords that passwords, including the use of password breaches to attack to access a large number are difficult to guess. managers. other systems. of accounts. 3. Help users to prioritise their high 2. Don't automatically expire passwords. Only value accounts. ask users to change their passwords on 4. Consider making your training applicable indication or suspicion of compromise. to users' personal lives. 3. Use delegation tools instead of password sharing. If there's a pressing business requirement for password sharing, use additional controls to provide the required oversight. © Crown Copyright 2018 www.ncsc.gov.uk @ncsc National Cyber Security Centre
Search
Read the Text Version
- 1 - 1
Pages: