What is the NCSC guidance on password managers?

(Last updated on July 2, 2021)

To keep our accounts secure across the multiple services that we use, we need to choose strong passwords that are unique for each account or service. Yet, 52% of people reuse the same password for multiple accounts.  

Remembering multiple strong passwords for perhaps dozens of accounts is challenging, but can be solved with a password manager. The National Cyber Security Centre (NCSC), the UK’s cyber security authority, recommends the use of password managers for consumers and businesses.   

The NCSC provides the following guidance in regards to securing your password manager

  • Use multi-factor authentication (MFA) on the password manager account 
  • Apply security updates and keep your password manager up-to-date  
  • Use a strong master password, preferably a passphrase of three random words together 

For system owners, the NCSC provides a buyer’s guide to enterprise password managers. The guide includes considerations for security features, and Active Directory integration.   

Active Directory integration 

A common implementation for businesses is to integrate Active Directory with their password manager. This allows for seamless onboarding and offboarding as administrators can utilize existing Active Directory functionality to grant and remove access.  

The other piece of the integration is to utilize the Active Directory password as the master password. Many organizations choose this path to enforce additional security measures for that main master password.  

If you’re using an enterprise password manager today, you can use Specops Password Policy to enforce the following measures on the master password.  

  • Prevent the use of over 2 billion leaked passwords 
  • Block the use of any word relevant to your organization via a custom dictionary 
  • Block Active Directory usernames, incremental passwords, display names, consecutive characters and more 
  • Dynamic feedback on password change and friendly end-user messaging 

With Specops Password Policy, you can easily enforce compliance requirements, block dictionary words, and help users create stronger passwords. Specops Password Policy extends the functionality of Group Policy, and simplifies the management of fine-grained password policies. The solution can target any GPO level, group, user, or computer with dictionary and passphrase settings. Together with Breached Password Protection, you can also block the use of over 2 billion compromised passwords. 

Specops breached password protection express screen
Specops Breached Password Protection

Learn more about Specops Password Policy and download a free trial.  

We’re working on something new

Want to be the first to know about it? Sign up on the form on this page to be the first to hear about what we’re working on – including early previews and other exclusive first-look opportunities.

brandon lee

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Back to Blog