How to improve your password management

One of the longstanding beliefs that forms the basis of many password policies is the notion that regular password changes are beneficial. The idea is that by frequently changing passwords, we can potentially prevent attackers from exploiting a discovered password. However, the unintended consequence of enforcing password changes is that organisations inadvertently raise the likelihood of users creating weak and poorly constructed passwords.

Organizations often impose regular password changes, such as every 30-60 days, requiring users to create new passwords multiple times a year. This practice becomes burdensome and impractical when combined with the recommendation that passwords should be unique for each system accessed. Implementing ISO 27001 certification can help organizations establish a robust information security management system (ISMS) that considers various factors, including password policies, to strike a balance between security requirements and user convenience.

Typically, users are encouraged to create complex passwords consisting of random strings of characters, including numbers and special symbols like $, £, &, %. However, the outcome of frequent password changes and complexity requirements is predictable. Users either resort to writing down their passwords or, more commonly, disregard the rules altogether.

To cope with the challenge of remembering passwords, users tend to choose simpler and shorter combinations or slightly modify previous passwords. These practices create vulnerabilities that can be exploited by attackers. The National Cyber Security Centre (NCSC) offers comprehensive guidance on password security, and here are some of their suggest
Educate your staff:

  1. Emphasize the risks of password reuse across both personal and work accounts to prevent unauthorized access.

  2. Provide guidance on choosing strong passwords that are difficult to guess, incorporating a combination of uppercase and lowercase letters, numbers, and special characters.

  3. Offer guidance on prioritizing high-value accounts to ensure stronger security measures are in place for critical systems and sensitive data.

  4. Make training relevant to users' work and personal lives, demonstrating the importance of secure password practices in all aspects of their online activities.

Reduce reliance on passwords:

  1. Consider alternative authentication methods such as single sign-on (SSO), hardware tokens, or biometric solutions to enhance security and usability.

  2. Implement two-factor authentication (2FA) or multi-factor authentication (MFA) for important accounts and systems that require an additional layer of verification.

Implement technical solutions:

  1. Implement account lockout mechanisms after a certain number of consecutive failed login attempts to protect against brute force attacks.

  2. Utilize password blacklisting to prevent the use of commonly used or easily guessable passwords.

  3. Employ application programming interface (API) throttling to defend against brute force attacks by limiting the number of authentication attempts within a given timeframe.

If passwords are necessary:

  1. Encourage the use of a passphrase composed of three random words, such as "summerbreezelight" (or £Summer#Breeze!Light), to create a memorable yet secure password.

  2. Utilize built-in password generators provided by password managers to generate strong and unique passwords.

  3. Avoid overly complex requirements and excessively short passwords, as they may be difficult for users to remember and increase the likelihood of weak choices.

  4. Remove restrictions on password length to allow users to create longer, more secure passwords without arbitrary character limits.

By implementing these measures and educating staff on secure password practices, organizations can significantly enhance their overall security posture and protect sensitive information from unauthorized access.

Here are some recommendations to enhance password security:

  1. Reduce reliance on passwords: Explore alternatives to passwords, such as implementing single sign-on (SSO), two-factor authentication (2FA), multi-factor authentication (MFA), biometrics, or hardware tokens. These solutions provide additional layers of security and reduce the reliance on passwords.

  2. Implement technological solutions: Utilize available technological solutions like SSO, 2FA, MFA, biometrics, and password managers to enhance security and usability.

  3. Regular staff education: Conduct regular education and training sessions to raise awareness among staff about the risks associated with weak passwords, short passwords, or reusing passwords. Help them understand the importance of using strong and unique passwords for better security.

  4. Password blacklists: Implement password blacklisting to restrict the use of commonly used or easily guessable passwords. Prohibit passwords like "Password1" or "QWERTYUIOP" to mitigate the risk of weak passwords being used.

  5. System lockout/timeout: Set up a system lockout or timeout mechanism that triggers after a certain number of incorrect login attempts. This helps identify and prevent repeated unauthorized access attempts, providing administrators with alerts and safeguarding IT systems.

By adopting these recommendations and implementing ISO 27001 implementation, organizations can strengthen their overall password security posture, reduce the risk of unauthorized access, and mitigate potential threats associated with password usage.