How and why the NHS should transform password policy for greater security
(Last updated on February 12, 2020)
As the largest employer in the United Kingdom, and the fifth largest in the world, the NHS has a responsibility to lead the way in cyber security. After all, there’s much at stake. For a high profile and public-facing organisation such as the NHS, strong security not only ensures compliance with today’s privacy and data protection regulations but also enables greater reputational protection and strengthens public trust.
However, current NHS password policy falls short of expected standards. To be truly secure, trusted, protected, and for the sake of their 1.7 million employees, the NHS needs to update their password recommendations. Largely this should entail blacklisting weak and leaked passwords; it’s the only way to prevent the continued use of vulnerable passwords within the NHS.
Why is password blacklisting so important?
As long as users continue to use common and predictable passwords, attacks will continue to work. However, hackers are not the only ones who can take advantage of password predictability. The best protection against this type of attack is using a password blacklist during the password creation process. This means checking a new password against the blacklist, and preventing users from selecting passwords that are susceptible to attacks.For the NHS, implementing such a process would add a substantial layer of protection.
Limiting Password Risks
The death of passwords has long been predicted, but the fact that we use passwords to access all kinds of accounts including email, banks, portals, shopping, dating and social media applications, means passwords are here to stay. The average number of passwords a person deals with in their daily lives varies from 19 passwords (statistic from 2014) to 191 passwords (statistic from 2018). Think all of those passwords are unique? Think again. Password reuse is the result of people’s inability to come up with unique (and memorable) passwords for all of the services they access in their digital lives.
While the NHS remains a hot target for cyber criminals, many of the services used by their employees in their private lives have already been hacked, leaking billions of passwords onto the internet.
For example, over recent years we’ve seen data breaches across:
- 3 billion Yahoo user accounts
- 412 million Adult Friend Finder accounts
- 167 million LinkedIn passwords
- 10 million Dixons Carphone accounts
- 380,000 British Airways payment card details
With 1.7 million employees, the impact of a compromised service such as the above, can easily trickle down to the NHS. Hackers can break into other systems using the billions of leaked passwords from previous data breaches. Unfortunately, the password policy example from the NHS does nothing to address vulnerabilities such as password reuse or weak passwords.
How current NHS password policy works – and how it could be improved
Looking at this current NHS password policy example (Password Guidance for Health and Care Organisations):
- Unique passwords shall be created, and used by individuals for each system to which they require access (these will be created under the direction of the relevant system administrators as systems may have differing requirements).
- As a best practice guide, passwords should be created in the following format:
- A minimum of 8 characters long.
- Not contain a dictionary word of more than 4 characters.
- Contain at least two uppercase letters.
- Contain at least two lower case letters.
- Contain at least 2 numbers.
- Contain at least two special characters or non-alphanumeric characters, such as:
- ! ” £ $ % & * @.
While these have historically been good tips for creating a strong password, they do not limit password reuse, or blacklist any compromised passwords. Yet today, hacking attempts are much more sophisticated – hackers have moved beyond these outdated NHS guidelines; which only serve to create passwords that are hard for people to remember, and easy for a computer to guess. The Password Strength comic from xkcd explains this well.
Ultimately this type of password policy results in passwords that meet all of the requirements, but are still weak – as a result of not being random. When people try to follow complexity requirements they rely on common character substitutions and fall into predictable patterns, such as adding a number to the end of their password.
With the potential of a single data breach to open the door to other systems, the NHS needs to stop users from using such vulnerable passwords. It is time to move away from policies that encourage users to create passwords that appear to be strong, but in fact are included in leaked lists.
Common examples of security risks that could have an impact for the NHS include;
Password attacks are successful because they take advantage of the weakest link: the human. A common method of attack is to enter every word from a database of leaked passwords. The database is composed of common names and words, popular keyboard patterns and character substitutions (P@ssw0rd2018!), and lists of leaked passwords that are available online. While the NHS does recommend blocking actual dictionary words more than 4 characters long, it makes no mention of preventing vulnerable passwords from being used in the NHS in the first place.
Another common password attack also takes advantage of the leaked passwords lists online. Credential stuffing is an automated hack where stolen usernames and password combinations are thrown at the login process of various websites in an effort to break in. With up to a 2% success rate, credential stuffers account for more than 90% of all login traffic on many of the world’s largest websites, and a spew of second-hand data breaches.
Improving by blocking weak passwords
A quick win for the NHS would be to block weak passwords altogether. By preventing predictable password behavior, this approach goes a long way to protecting the 1.7 million employees, and the sensitive data they hold. It can also help users cope with password overload as it takes the burden off the user, and places it on the authentication system. As always, changes are most effective alongside end-user training – users need to understand the why so they can make better choices.
Does your password policy align with best security practices? Try out our free 5 minute scan to see if your password policy is keeping sensitive data safe.