Organization: East Ayrshire Council
Goal: Enforce stronger passwords with a customized dictionary list
Result: Stronger password policies customized for different roles in the organization, without compromising the user experience.
Solution: Specops Password Policy
In 2017 East Ayrshire Council conducted an audit that revealed weak password use among its 6,000 Council employees. In order to block common and vulnerable passwords, the Council implemented Specops Password Policy to enforce stronger passwords and customize a password dictionary list.
An external audit is performed annually within all Scottish councils. The 2017 audit of East Ayrshire Council showed that many users were using common passwords like Password1, Initial1and Summer17. They were also selecting easy-to-guess passwords containing the names of local soccer teams (Kilmarnock, Celtic and Rangers etc). Due to a short password expiration period of 45 days, users were even resorting to adding a number at the end of their password in order to update it.
“We had a problem with weak passwords and the Active Directory password policy settings didn’t allow us to block common words,” says Ian Aston, ICT Security Manager at East Ayrshire Council. “We were familiar with Specops Software and quickly set up a demo to review the Specops Password Policy software.”
In addition to blocking high-probability passwords, the Council wanted to use password expiration without encouraging password reuse and incremental passwords. Support for passphrases was seen as a desirable feature in the password enforcing software. Specops Password Policy met all of the Council’s requirements and was soon implemented.
East Ayrshire Council created a custom list of banned passwords containing the most common passwords and the weak password revealed by the audit. Adding this to the software made it possible to stop all of these words from being chosen when setting a password. They also used the feature in Specops Password Policy to stop incremental passwords.
The implementation was carried out over eight weeks, starting with the IT staff before enabling it for all users. To prepare the council employees to the new password policy, Ian and his team sent an email explaining the new policy with screenshots of the error messages when a user chooses a password on the customized dictionary list.
“We installed the Authentication Client on all of our endpoints so that our users would get the messages should they fail to choose a strong password,” Ian says. “The feature is very helpful, making the implementation process very smooth. We only received a couple of calls to the helpdesk with questions.”
The only user complaint came from the people who had been adding a sequential number to their passwords. Council users are made up of different job roles from support service employees with desk jobs to social workers and others in the field. Specops Password Policy allows different password policies for different roles in an organization.
Now that users are becoming more aware of password security, Ian is looking to enforce passphrases. These longer passwords would stand up to brute force attacks better. Ian would also extend the expiration period so that users would not need to reset their passphrases as frequently.
For the passphrase rollout Ian is planning user communication in the form of end user security training, emails and desktop alerts. Training is underway to give the users suggestions for how to come up with a secure passphrase that is easy to remember, but hard to crack.
The Council is now evaluating other products from Specops Software to improve the self-service password reset experience as well.