Cyber Essential’s Password-Based Authentication Requirements

Written by

Cyber Essentials revised its password-based authentication requirements in 2022 in response to the ever-changing threat landscape. The changes highlight a shift towards tighter technical controls and away from user reliance. You’ll need configuration against brute-force attacks, implement technical controls to manage password quality and provide support to users around the password process. 

Read on to learn how this can be implemented and additional ways to strengthen your defense against password-related attacks.

Protect Against Brute-Force Password Guessing

Brute-force hacking attempts come in many shapes and sizes and are popular due to the relative ease of carrying them out. To limit the effectiveness of these attacks, the requirements state that at least one of the following countermeasures should be implemented:

  • Using multi-factor authentication (MFA)
  • ‘Throttling’ the rate of attempts. This means the time the user must wait between attempts increases with each unsuccessful attempt.
  • Allowing no more than 10 guesses in five minutes.
  • Locking accounts after no more than 10 unsuccessful attempts

MFA is a no-brainer; when and where it is available, it should be implemented as a priority as it builds up multiple walls of defense. It’s advisable to utilize lockout rules alongside MFA rather than instead of it. Be mindful that user lockouts can become a burden on the helpdesk or a potential route for an attack (service accounts), so solutions such as self-service password resets should be considered to alleviate this.

Using Technical Controls to Manage Password Quality

Technical controls are essential to ensure that strong passwords and authentication measures are in place, removing the burden from the user.

The requirements state that at least one of the following should be implemented:

  • MFA
  • Minimum password length of at least 12 characters, with no maximum length restrictions
  • Minimum password length of at least eight characters, with no maximum length restrictions and use automatic blocking of common passwords through a deny list

The perfect scenario here would be to implement MFA alongside a longer password of 15 characters (activating a secure hashing algorithm) and using a deny list to block compromised passwords. As 52% of users reuse their passwords across accounts, the ability to ensure that the password hasn’t been compromised elsewhere bolsters the first line of defense.

User Support with Unique Passwords

Users reuse passwords, passwords become compromised and networks get hacked. Therefore, the need for unique passwords across accounts is obvious (but not always easy for the user to adhere to!). The requirements to support the user are:

  • Educating people on how to avoid common or discoverable passwords, such as their pet’s name, common keyboard patterns or passwords they have used elsewhere. This could include teaching people to use the password generator feature built into some password managers.
  • Encouraging people to choose longer passwords. This can be done by promoting the use of multiple words (a minimum of three) to create a password (e.g., ‘Three Random Words’)
  • Providing usable, secure storage for passwords (for example, a password manager or secure locked cabinet) with clear information about how and when it can be used.
  • Not enforcing regular password expiry
  • Not enforcing password complexity requirements

The NCSC advocates #threerandomwords as an alternative to complexity requirements, helping make passwords longer and more memorable. Due to the number of accounts used today, password managers are becoming an essential part of the cybersecurity toolkit (see NCSC guidance). Reward users with longer expiry durations when they set stronger passwords and consider third-party tools that can incorporate length-based password aging.

Changing Compromised Passwords

The new requirements state that there needs to be “an established process to change passwords promptly if the applicant knows it has been compromised.” The issue is we rarely know if it’s been compromised until it’s too late! Therefore, it’s recommended to frequently audit for compromised passwords and use third-party solutions for blocking compromised passwords at the point of creation for the best protection.

Next Steps

The changes to the password-based authentication requirements are a positive step forward. However, be mindful that in instances where only one measure is required to be implemented, adding an additional measure will exponentially improve your defense against password attacks.

Compromised passwords exist in your environment. Regardless of whether you are looking to become Cyber Essentials certified, eliminating them is critical. A useful FREE tool is Password Auditor. It will highlight any compromised passwords against a list of over 1 billion and identify other password vulnerabilities in your network to give you a starting point and scale of the problem.

If you want to become Cyber Essentials certified, you can register with the assessment body IASME. If you require assistance with your password security requirements, such as a true fine-grained password policy, length-based aging or blocking compromised passwords, request a free trial or speak to one of our experts at Specops.

What’s hot on Infosecurity Magazine?