How to meet password requirements for PSN compliance

If you’re applying for a Public Services Network (PSN) compliance certificate, you will need to demonstrate your commitment to security and password protection. In this article we define these requirements and offer some valuable advice and solutions to help you meet the necessary requirements.

An overview of PSN compliance

Since its launch in 2005, the PSN has improved efficiency and saved on UK public expenditure. Its security and reliability are dependent on the cooperation of each of its users to comply with the regulations and guidelines put in place to protect it.

These regulations ensure that:

• The network will continue to work without problems.
• Data is appropriately protected.
• In the event something should go wrong, it can be quickly remedied with minimal consequences.

To gain access to the PSN, you must apply for a PSN compliance certificate. The application requires you to report your security arrangements to the government to demonstrate that they would adequately protect the PSN community. This, of course, includes showing due diligence to password protection.

PSN Password Requirements

The first step to applying for PSN Compliance is to complete the Code of Connection (CoCo) form. The PSN password requirements are outlined in part 2, entitled “Authentication and access control”.

They are as follows:

1. You must ensure that ALL passwords are changed from defaults
2. You must not allow password/account sharing
3. You must ensure that high-privilege users (i.e. administrators) use different passwords for their high-privilege and low-privilege accounts
4. You must combine passwords with some other form of strengthening authentication, such as lockouts, throttling, or two-factor authentication
5. You must ensure that passwords are never stored as plain text, but are (as a minimum) hashed using a cryptographic function capable of multiple iterations and/or a variable work factor. It is advisable to add a salt before hashing passwords.

PSN Code of Connection Form v1.31

The measures are more than reasonable given what’s on offer, and what’s at stake. The accompanying guidelines state that if, for whatever reason, you cannot meet one or more of the 5 requirements, you must demonstrate that you have other rigorous controls in place.

Tools to help you meet PSN Password Requirements

Specops offer a variety of solutions to help you to ensure that all members of your organisation comply with the PSN regulations.

Specops Password Auditor

Specops Password Auditor is free to download. It scans existing passwords in your active directory and creates a report to alert you to vulnerabilities.

• Prevent all users from duplicating passwords. It’s extremely common for people to reuse passwords across multiple accounts. The Password Auditor reports accounts that have identical passwords. It also tells you whether these users are admins, enabling you to enforce number 3 of the requirements listed above.
• Enforce password updates. Find out which of your users’ passwords have expired and prompt them to update their accounts. This is particularly useful for your remote workforce who may not have received a reminder to update their passwords.
• Identify compromised passwords. Compare your accounts against a regularly updated database of leaked passwords. It’s important to note that Specops doesn’t decode encrypted passwords to do this. Instead, it simply compares hashes of passwords on your system to those in our database.
• Get an overview of admin accounts, including stale and inactive accounts.

Specops Password Policy

Specops Password Policy enables you to create your own password policies and enforce compliance.

• Improve password complexity by setting a minimum character length and requiring a combination of lowercase, uppercase, numbers, and special characters. You have full control and flexibility to set your own requirements.
• Compare your policy against the regulatory password recommendations from NIST and NCSC.
• Block weak and commonly used passwords to prevent dictionary attacks.
• The Specops Breached Password Protection add-on allows you to check passwords against those found in leaked databases as well as those being used in password spray attacks happening right now.

Specops uReset

Account resets are an inevitable reality. Specops uReset enables safe and secure self-service password resets and changes.

• Multi-Factor Authentication (MFA) enhances login security. Use security questions, mobile verification codes, fingerprint authentication, and digital identity provider authentication.
• Enable your helpdesk to verify genuine users through MFA.

Enforcing password regulations in your organisation is not just a necessary step to PSN compliance, it is also a worthwhile investment to protect yourself and your users from threat actors. If you do nothing else, download and run Specops Password Auditor. It’s completely free and will give you a good overview of password security across your active directory.