How to make your password policy NCSC compliant

The National Cyber Security Centre (NCSC), formerly known as the CESG, introduced new Cyber Essentials password recommendations to combat the swell of data breaches. What was once perceived as a best practice, such as password complexity, is now considered an anti-pattern.
The NCSC password guidance, also referenced in the Public Service Network’s (PSN) Code of Connection, includes 7 tips, all of which you will find here in an abbreviated version along with our spin on some of the recommendations.

NCSC Password Guidance: 7 tips

Tip 1: Change all default passwords

Not changing default passwords is one of the most common password mistakes that organizations make. New joiners should be forced to change their password with the first login. Particular attention should be paid to essential infrastructure devices.

Tip 2: Help users cope with password overload

The NCSC recommends only requiring a password change when a compromise is suspected since stolen passwords are generally exploited immediately. Also frequent changes makes users fall into predictable patterns leading to the creation of weak passwords. Other recommendations include the use of single sign-on, password synchronization, and a means to store recorded passwords. Password sharing should never be allowed.


Specops recommendation

  • Vary password expiry across different user groups
    IT departments do not always know when breaches occur – often they find out by accident or when a list is actually made public. Having password expiry in place limits the time of the exposure. Privileged accounts should still follow a frequent password expiration period. For non-privileged users you can forgo frequent expiration and strengthen your policy using multi-factor authentication, passphrases, and by banning dictionary words.

Tip 3: Understand the limitations of user-generated passwords

Studies of user-generated passwords have shown that they encourage insecure behaviors that attackers use to optimize their attacks. Insecure behaviors include using common predictable passwords, and re-using the same password over multiple systems. Following the NCSC password guidance, long and complex passwords only give a marginal security benefit while the user burden is high. They state that the use of technology to defend against automated guessing attacks is more effective and recommend using account lockout, throttling, protective monitoring and blocking common passwords.


Specops recommendation

  • Ban common passwords
    Attackers can use multiple dictionaries including foreign words, phonetic patterns, and lists from data breaches such as LinkedIn, Gawker, and Adobe. With the right tools in place, such as Specops Password Policy, any dictionary or custom list can be blocked from being used.
  • Encourage length, not complexity
    Shorter passwords are more prone to brute-force attacks than longer – it’s just math! Passphrases, a combination of words that are meaningless together, are easier to remember and much harder to crack.
  • Turn on multi-factor authentication
    Use multi-factor authentication everywhere you can, especially for privileged users or when accessing critical systems.
  • Educate users
    Communicate the risks associated with poor practices such as using weak passwords, reusing them across different sites and sharing. This can also include security awareness training on social engineering, phishing and key logging..
Continuous Scan Password Policy icon
Continuously block 4 billion+ compromised passwords in your Active Directory

Tip 4: Understand the limitations of machine-generated passwords

If you use machine-generated passwords make sure to choose a system that produces easy to remember passwords and offer a choice of passwords. The NCSC password guidelines say that administrators must use different passwords for their administrative and non-administrative accounts – sharing is not recommended. Standard users should not routinely be granted administrator privileges.

Tip 5: Prioritize administrator and remote user accounts

Administrator accounts, with highly privileged access to systems and services, need to be especially protected since they are very attractive to hackers. Remote users who require remote login access should be required to provide extra evidence, such as a token or be part of a multi-factor authentication policy.

Tip 6: Use account lockout and protective monitoring

Account lockout (NCSC recommends 10 attempts), throttling, and protective monitoring are powerful defenses against brute-force attacks and encouraged by the NCSC. Protective monitoring can be used to relax the burden of locking out users. Blocking common passwords works well in combination with lockout and throttling.


Specops recommendation

  • Use account lockout, but make sure to enable self-service passwords resets
    With a tool such as Specops uReset and Specops Password Reset, users can reset their passwords anywhere at any time, without the assistance of the helpdesk. 

Tip 7: Don’t store passwords as plain text

Final words in our NCSC password guidelines: Passwords should be hashed and uniquely salted, and never stored as plain text.

Specops Password Policy helps you enforce best practices and make sure your password policy is NCSC compliant. Get a free trial or contact us to book a demo.

NCSC terminology

Account lockout = a user only has a limited number of attempts to enter their password before their account is locked out
Throttling = a technique where there is a time delay between successive login attempts.
Protective monitoring = a technique used to detect and alert any malicious and abnormal behavior

(Last updated on December 20, 2024)

Back to Blog

Related Articles

  • Guide to NCSC’s Cyber Essentials password policy compliance

    Passwords play an important role in the Cyber Essentials scheme. If you are planning for Cyber Essentials accreditation, you will need to make sure your password policy is up to the challenge.

    Read More
  • Cyber insurance requirements for Active Directory

    If you’ve noticed that your organization’s cyber insurance premiums have increased over the last year, you’re not alone. With evolving cyber threats, the rise in ransomware attacks, and the ubiquity of hybrid and remote workforces, insurers are responding by raising prices, tightening eligibility requirements, and reworking the scope of their coverage. But what does this…

    Read More
  • HIPAA compliant password manager

    Compliance with industry regulations are extremely important to IT priorities, and cybersecurity. One of the more prominent standards for safeguarding personal data is the Health Insurance Portability and Accountability Act (HIPAA) which provides guidelines for organizations dealing with protected health information (PHI). For sysadmins, compliance with HIPAA requires visibility and technical controls to protect electronic personal health information (ePHI). Naturally, this includes password security in the environment.   To simplify password management for users, and improve password security,…

    Read More