Organization: The Clatterbridge Cancer NHS Foundation Trust
Country: United Kingdom
Goal: Enforce longer and stronger passwords
Result: Seamless rollout to over 2,400 staff members
Following a penetration test that revealed a significant percentage of passwords could easily be cracked by attackers, the IT security team at Clatterbridge Cancer Centre turned to Specops Password Policy to enforce stronger passwords.
Andy Kilbane, the Digital Systems Security Specialist at Clatterbridge Cancer Centre, shared that Microsoft’s default domain policy complexity enforcements were revealed to have significant gaps from a recent internal pen test, “We were able to crack a very high percentage of our passwords in under 3 seconds. Obviously, we then knew our password policy wasn’t complex enough. “Password1” as far as the Microsoft password policy was concerned, was a complex password.”
To uncover the full extent of the password problem and mitigate other password-related vulnerabilities, the Trust used the free Specops Password Auditor tool to identify compromised passwords, as well as stale accounts, accounts with no password expirations and used the executive summary feature that helped communicate the problem to the board.
The decision was made to enforce longer passwords along with passphrases, without compromising usability for users or the IT team. Andy explains, “We went out and looked at some other products and Specops Password Policy just looked like the easiest one to use. It didn’t seem like it would be something that you’d have to babysit a lot. It was just set it up, and let it go.”
For the end-users, who are typically resistant to change, Andrew turned to the length-based password aging feature to reward users who choose longer passwords. This feature correlates the password expiration period with the length of the password – the longer the password, the longer the expiration period.
The end-user client messaging, with real-time dynamic feedback was also used to help with the user experience, “when people did change their password, they would get the user interface to tell them what their password needs to be set as,” says Andy. “We found that was really useful as well, helping users pick new passwords and that by picking longer passwords or passphrases they could have a longer expiry time” he adds.
The feature when deployed alongside Specops Breached Password Protection provides dynamic feedback to the end user highlighting which rules have not yet been fulfilled, as well as whether the password they are attempting to choose is a known compromised one.
When we asked Andy whether he would recommend Specops Password Policy, he said, “It has definitely helped with our password vulnerability. The roll-out was great and support has always been brilliant. The option for users to choose between password and passphrase, I can’t see why any organisation, wouldn’t want that flexibility.
It just doesn’t go wrong, it works and is nice hassle-free software.”