Password Requirements from NCSC & Cyber Essentials

Written by

Cyber-attacks are on the rise in the UK. According to this report, volume of cyber-attacks on UK businesses in Q1 2019 was up 122% year over year. The Cyber Essentials scheme is a UK government certification that provides guidance to help organizations guard against common cyber-attacks. According to the UK government, the Cyber Essentials security controls can prevent around 80% of cyber-attacks. The controls are mandatory for all government contracts that involve handling personal information, and delivering certain information communications technology products.

When it comes to password security, the Cyber Essentials scheme offers clear guidelines. After all, password exploitation remains the leading cause of many data breaches. Password-specific requirements can be found in the Secure Configuration and User Access Control sections of the Cyber Essentials Scheme.

Unlike the Cyber Essentials scheme, the password guidance from the National Cyber Security Centre (NCSC) is advisory in nature. The NCSC was formed to provide a national response to cyber-threats. It remains one of the most respected authorities in cybersecurity and plays an important role in shaping organizational policies. The NCSC’s password guidance, Password policy: updating your approach, is designed to help system owners simplify password policies and lessen the workload on users.

The password advice from NCSC and Cyber Essentials share a common theme: simplify passwords for users and put the burden on the authentication system. Here are some key highlights you should take into consideration when creating password policies:

Password Complexity is Not Required

The NCSC and Cyber Essentials scheme both acknowledge that password complexity requirements encourage poor password choices. When having to recall complex passwords, users resort to predictability – consecutive numbers, repetitions and keyboard patterns. NCSC and Cyber Essentials recommend skipping complexity rules, and focusing on password length.

Consider a basic password with only one lowercase letter. The attacker would have 26 possibilities to guess from A to Z. Now increase the password length to two, the attacker would have to go through 676 possibilities. If you increase the password length to three, there is going to be 17576 possibilities. As you increase the password length, you are making the password exponentially harder to crack.

Expire Passwords Only When Necessary

The NCSC and Cyber Essentials scheme both recommend a password change only when a compromise is known or suspected. Even though periodic changes can prevent indefinite access via compromised credentials, they can have a negative effect on both security and usability. Already dealing with password overload, users are likely to record new passwords via insecure methods which create new vulnerabilities. New passwords also contribute to productivity loss when users forget them and have to contact the service desks.

Before forgoing periodic password changes, you’ll need another system defense in place. Whether it is a monitoring tool or multi-factor authentication, you need a way to detect and prevent unauthorized access. You might also want to consider keeping periodic password changes for privileged accounts and loosening the expiry for regular users.  

Use a Password Blacklist

The NCSC and Cyber Essentials scheme urge organizations to concentrate efforts on technical controls to steer users away from picking common and compromised passwords, such as using a password blacklist. A password blacklist is a list of disallowed passwords consisting of common and compromised passwords. It improves security as it prevents hackers from exploiting weak passwords.

A blacklist can be created from published lists of common passwords. However, neither the NCSC nor Cyber Essentials provide this list to you. Additionally, to stay protected against new threats, organizations will need to continually grow and update their list. A third-party password blacklisting service can simplify the process of managing the list of leaked passwords.

Account Lockouts to Defend Against Brute Force

In a brute force attack, a bot attempts every password combination of words and numbers until they find the password that gives them access to the network. When used against short and simple passwords, the attack is often successful. In recent years, high profile victims have brought these attacks to the forefront. In 2017, Westminster Parliament fell victim to a brute force attack, resulting in the compromise of 90 email accounts. In 2018, the accounts of several members of the Northern Irish Parliament were accessed by brute force attackers.

To protect your organization against brute force attacks, the NCSC and the Cyber Essentials scheme recommend account lockouts – locking accounts after 10 failed login attempts. Since many brute force attacks likely happen in a short period, the Cyber Essentials scheme further suggests limiting the number of guesses to no more than 10 guesses within five minutes. There are times when unsuccessful login attempts are from legitimate users, so it is important that you provide a password recovery method.

Fulfill the Above Requirements & More

Password attacks are an ongoing threat facing organizations. Understanding the above guidance is the first step towards better password security, but what about applying it to your environment? With a password management solution you can enforce compliance requirements, blacklist leaked passwords and help users create stronger passwords.

Specops Password Policy is a full-featured password filtering tool that supports passphrases and includes a password blacklist with more than a billion passwords. The password blacklist is influenced by publicized leaked passwords, and updated on-demand in response to new threats, including the latest collection leak. Once password blacklist is enabled, users will be prompted to change their passwords at next logon if their new password matches a password found in the blacklist. This ensures that all the vulnerable passwords are kept out of your network.

What’s hot on Infosecurity Magazine?