Cyber Essentials Password Policy
(Last updated on May 24, 2019)
Passwords play an important role in the Cyber Essentials scheme as they are a common means of authenticating true users, while preventing unauthorized access. Two of the five controls in the UK Government’s Cyber Essentials scheme address password security requirements directly. The controls are designed to defend against common cyber attacks, such as phishing, and manual/automated password guessing.
5 key controls of Cyber Essentials
The Cyber Essentials security controls can prevent around 80% of cyber attacks, according to the UK government. There are five technical control topics included in the scheme:
- Secure Configuration
- User Access Control
- Malware Protection
- Patch Management
Passwords figure heavily in Secure Configuration and User Access Control.
What is Secure Configuration?
The objective of Secure Configuration is to ensure that computers and network devices are configured to reduce the level of inherent vulnerabilities. Devices should only provide the service required to fulfil their role. In addition to computers and network device requirements, the Secure Configuration control details password-based authentication. In a shift away from password complexity, the requirements place the technical password burden on systems, as opposed to relying on users following good practices. To achieve the certificate an applicant must fulfil the following (from the Cyber Essentials website):
- protect against brute-force password guessing, by using at least one of the following methods:
- lock accounts after no more than 10 unsuccessful attempts
- limit the number of guesses allowed in a specified time period to no more than 10 guesses within 5 minutes
- set a minimum password length of at least 8 characters
- not set a maximum password length
- change passwords promptly when the Applicant knows or suspects they have been compromised
- have a password policy that tells users:
- how to avoid choosing obvious passwords (such as those based on easily-discoverable information like the name of a favorite pet)
- not to choose common passwords — this could be implemented by technical means, using a password blacklist
- not to use the same password anywhere else, at work or at home
- where and how they may record passwords to store and retrieve them securely — for example, in a sealed envelope in a secure cupboard
- if they may use password management software — if so, which software and how
- which passwords they really must memorize and not record anywhere
The Applicant is not required to:
- enforce regular password expiry for any account (we actually advise against this — for more information see The problems with forcing regular password expiry)
- enforce password complexity requirements
What is User Access Control?
User Access Control ensures user accounts are assigned to authorized individuals only. Access should only be granted to those applications, computers, and networks that are actually required for the user to perform their role. You can reduce the risk of information being stolen or damaged by granting only as much access as needed. This technical control defines requirements of privileged accounts and processes for limiting access. The requirements include the following (from the Cyber Essentials website):
- have a user account creation and approval process
- authenticate users before granting access to applications or devices, using unique credentials (see Password-based authentication)
- remove or disable user accounts when no longer required (when a user leaves the organization or after a defined period of account inactivity, for example)
- implement two-factor authentication, where available
- use administrative accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks)
- remove or disable special access privileges when no longer required (when a member of staff changes role, for example)
The overall goal of the Cyber Essentials scheme is to help organizations guard against common cyber threats and show their commitment to cyber security. There are five accreditation bodies that can help with assessment and certification. The following accreditation bodies are listed on the NCSC’s website: APMG, CREST, IASME, IRM and QG Management Standards. The Cyber Essential certification is a stamp of approval that an organization has put the most critical cyber security measures in place.
Password policy requirements
If you are planning for Cyber Essentials accreditation you will need to make sure your password policy is up to the challenge. Shift the password burden away from your users, and place it instead on the technical systems. For example, you could use a password blacklist to stop leaked passwords, lock accounts after repeated login attempts, and stop periodic password expirations. You should also limit the number of users who have privileged access, and use those accounts for only the task that is required of them.
Specops Password Policy can address these password-related requirements with a full-featured password filtering tool that includes a password blacklist with more than 1 billion passwords. While the free tool, Specops Password Auditor, can help you identify stale accounts and accounts with admin privileges that may be flying under the radar.
The Payment Card Industry Data Security Standard (PCI DSS) regulates security practices to protect cardholder data. Password compliance plays an important role in the PCI standards by dictating password complexity to strengthen defense against unauthorized access. New requirements coming into effect this January demand multi-factor authentication (MFA) for administrators, and anyone with remote access. PCI…Read More
As long as people reuse their passwords, dictionary attacks will work. Password blacklisting is an effective way to shift the burden from users and prevent dictionary attacks.Read More
A recent survey in the UK showed that protecting passwords is still a complicated task for many organizations. Protecting passwords is top of mind for IT professionals, but there isn’t a one-size-fits-all solution to the problem.Read More