East Ayrshire Council blocks weak passwords

Uncovering weak passwords

An external audit is performed annually within all Scottish councils. The 2017 audit of East Ayrshire Council showed that many employees were using common passwords like Password1, Initial1and Summer17, or easy-to-guess passwords containing the names of local soccer teams (Kilmarnock, Celtic and Rangers etc). Due to a short password expiration period of 45 days, users would often only change a number at the end of their password in order to update it.

“We had a problem with weak passwords and the Active Directory password policy settings didn’t allow us to block common words,” says Ian Aston, ICT Security Manager at East Ayrshire Council.

“We were familiar with Specops Software and quickly set up a demo to review the Specops Password Policy software.”

In addition to blocking high-probability passwords, the Council wanted to use password expiration without encouraging password reuse and incremental changes. Support for passphrases was seen as a desirable feature in the password enforcing software. Specops Password Policy met all of the Council’s requirements and was quickly implemented.

Building a custom dictionary of banned passwords

East Ayrshire Council created a custom banned list of common and weak passwords revealed by the audit. Adding this to the software made it possible to stop all of these words from being chosen when setting a password. Specops Password Policy also allowed the Council to block incremental changes, encouraging users to create unique, secure passwords.

The council is also made up of a large variety of job roles, both in-office and mobile, from support service employees with desk jobs to social workers and others in the field. Specops Password Policy enables robust password policies for every role at every level in an organization, ensuring all users set strong passwords.

The implementation was carried out over eight weeks, starting with the IT staff before enabling it for all users. To prepare the council employees for the new password policy, Ian and his team sent an email explaining the new rules. This included screenshots of the error messages shown when a user attempts to set a password on the customized dictionary list.

“We installed the Authentication Client on all of our endpoints so that our users would get the messages should they fail to choose a strong password,” Ian says. “The feature is very helpful, making the implementation process very smooth. We only received a couple of calls to the helpdesk with questions.”

What’s next?

With users more aware of password security, Ian next looked to enforce passphrases, which offer better protection against brute force attacks. Ian would also extend the expiration period so that users would not need to reset their passphrases as frequently.

For the passphrase rollout Ian planned user communication in the form of end user security training, emails and desktop alerts. Training was undertaken to give the users suggestions for how to come up with a secure passphrase that is easy to remember, but hard to crack.