How to make your password policy NCSC compliant
(Last updated on May 9, 2022)
The National Cyber Security Centre (NCSC), formerly known as the CESG, introduced new password recommendations to combat the swell of data breaches. What was once perceived as a best practice, such as password complexity, is now considered an anti-pattern.
The guidance, also referenced in the Public Service Network’s (PSN) Code of Connection, includes 7 tips, all of which you will find here in an abbreviated version along with our spin on some of the recommendations.
Tip 1: Change all default passwords
Not changing default passwords is one of the most common password mistakes that organizations make. Particular attention should be paid to essential infrastructure devices.
Tip 2: Help users cope with password overload
NCSC recommends only requiring a password change when a compromise is suspected since stolen passwords are generally exploited immediately. Also frequent changes makes users fall into predictable patterns leading to the creation of weak passwords. Other recommendations include the use single sign-on, password synchronization, and means to store recorded passwords. Password sharing should never be allowed.
- Vary password expiry across different user groups
IT departments do not know when breaches occur – often they find out by accident or when a list is actually made public. Having password expiry in place limits the time of the exposure. Privileged accounts should still follow a frequent password expiration period. For non-privileged users you can forgo frequent expiration and strengthen your policy using multi-factor authentication, passphrases, and by banning dictionary words.
Tip 3: Understand the limitations of user-generated passwords
Studies of user-generated passwords have shown that they encourage insecure behaviors that attackers use to optimize their attacks. Insecure behaviors include using common predictable passwords, and re-using the same password over multiple systems. NCSC believe that long and complex passwords only gives a marginal security benefit while the user burden is high. They state that the use of technology to defend against automated guessing attacks is more effective and recommend using account lockout, throttling, protective monitoring and blacklisting common passwords.
- Ban common passwords
Attackers can use multiple dictionaries including foreign words, phonetic patterns, and lists from data breaches such as LinkedIn, Gawker, and Adobe. With the right tools in place, such as Specops Password Policy, any dictionary or custom list can be blocked from being used.
- Encourage length, not complexity
Shorter passwords are more prone to brute-force attacks than longer – it’s just math! Passphrases, a combination of words that are meaningless together, are easier to remember and much harder to crack.
- Turn on multi-factor authentication
Use multi-factor authentication everywhere you can, especially for privileged users or when accessing critical systems.
- Educate users
Communicate the risks associated with poor practices such as using weak passwords, reusing them across different sites and sharing. This can also include security awareness training on social engineering, phishing and key logging..
Tip 4: Understand the limitations of machine-generated passwords
If you use machine-generated passwords make sure to choose a system that produces easy to remember passwords and offer a choice of passwords. NCSC say that administrators must use different passwords for their administrative and non-administrative accounts. Standard users should not routinely be granted administrator privileges.
Tip 5: Prioritize administrator and remote user accounts
Administrator accounts, with highly privileged access to systems and services, need to be especially protected since they are very attractive to hackers. Remote users who require remote login access should be required to provide extra evidence, such as a token or be part of a multi-factor authentication policy.
Tip 6: Use account lockout and protective monitoring
Account lockout (NCSC recommends 10 attempts), throttling, and protective monitoring are powerful defenses against brute-force attacks and encouraged by the NCSC. Protective monitoring can be used to relax the burden of locking out users. Blocking common passwords works well in combination with lockout and throttling.
- Use account lockout, but make sure to enable self-service passwords resets
With a tool such as Specops uReset and Specops Password Reset, user can reset their passwords anywhere at any time, without the assistance of helpdesk.
Tip 7: Don’t store passwords as plain text
Passwords should be hashed and uniquely salted, and never stored as plain text
Account lockout = a user only has a limited number of attempts to enter their password before their account is locked out
Throttling = a technique where there is a time delay between successive login attempts.
Protective monitoring = a technique used to detect and alert any malicious and abnormal behavior