Organization: Greater Manchester West Mental Health NHS Foundation Trust
Country: United Kingdom
Goal: Cyber Essential Plus accreditation by addressing weak passwords
Result: Password blacklisting and customized dictionary list to remove poor passwords.
Solution: Specops Password Policy
Weak passwords were stopping the Greater Manchester West Mental Health NHS Foundation Trust from achieving Cyber Essentials Plus accreditation. The Trust needed to blacklist weak passwords in order to show their commitment to cybersecurity. With Specops Password Policy the Trust was able to achieve their goal of blocking weak passwords while enjoying the added benefit of multiple policies and clear end-user feedback.
Andre de Araujo, head of ICT at the Greater Manchester West Mental Health NHS Foundation Trust, was tasked with addressing the Trust’s issues with weak passwords. They were using fine-grained password policy in Active Directory, but the inability to block password dictionaries resulted in hundreds of very weak passwords.
“We ran a script to look for hashes that could be cracked,” Andre says. “We had hundreds of users with passwords that included the day of the week, month or even the word password, often with a number at the end or an exclamation point. It was interesting to see how many people follow the same patterns, resulting in easy-to-guess passwords.”
The Trust has about 6,000 staff members including office workers, homecare helpers, cleaning staff and many others. Everyone needs to login to a computer for job training or accessing email at the minimum, but familiarity with technology and cybersecurity differs greatly between the different user groups.
To evaluate Specops Password Policy and the Password Blacklist feature, the Trust set up a full proof of concept. The driving force behind testing the solution was to use the blacklist service to stop known weak passwords and to use custom dictionaries for passwords common to the Trust. During the evaluation the Trust saw they could use other features to create a more granular approach to password policies. The ability to set different policies for different user groups was an added benefit, as well as the end-user feedback that shows users why their password fails to meet the requirements.
“Specops Password Policy is easy to get up and running and works as promised,” Andre says. “We were supported throughout the proof of concept process and I would gladly recommend the solution to anyone wanting to improve their password security.”
Password requirements for Cyber Essentials include shifting the password burden from users to technical systems. Some examples include blacklisting weak and leaked passwords, locking accounts after repeated login attempts and stopping periodic password expirations. It is also important to limit the number of users with privileged access and make sure these accounts are only being used for the tasks there are required to do.
The latest update to Specops Password Policy can help make Cyber Essential accreditation possible with length-based password aging. IT administrators can correlate the length of a user’s password to the length of expiration – the longer the password, the longer the expiration period.