Read on to find out how IT support companies and MSPs can help their organisations develop robust and manageable password policies.
The below graphic represents the time to brute force a password using current technological capabilities.
So passwords should really be in the top two tiers to be effectively secure.
An ongoing issue is that the more complex the password the more difficult it is to remember – and with the general lack of uptake around password managers the NCSC guidance continues to encourage staff to use three random words as a password instead.
To find out more about passwords go to Guidance | Eastern CRC (ecrcentre.co.uk).
Only use passwords where they are needed and appropriate. Consider alternatives to passwords such as Single Sign On, hardware tokens and biometric solutions. Use MFA where possible for all important accounts and internet facing systems.
Use account lockout or throttling to defend against brute force attacks. If using lockout, allow users between 5 and 10 login attempts before locking out accounts. Consider using security monitoring to defend against brute force attacks. Password blacklisting prevents common, guessable passwords being used.
Tip 3: Protect all passwords
Ensure that all corporate web apps requiring authentication use HTTPS. Protect any access management systems you manage. Choose services and products that protect passwords using multiple iterations of a salted cryptographic hash function. Protect access to user databases. Prioritise privileged and vulnerable accounts such as administrators, cloud accounts and remote users. Change all default passwords.
Users have a whole suite of passwords to manage, not just yours. Allow users to securely store their passwords. Only ask users to change their passwords on indication or suspicion of compromise. Use delegation tools instead of password sharing. Where there’s a pressing business requirement to share passwords, use additional controls to provide the required oversight.
Be aware of the pros and cons of different password generation methods. If password managers are used, encourage the use of the built-in password generator. Complexity requirements provide no defence against common attacks and should not be used. Prevent users setting passwords that are too short. Don’t impose artificial capping on password length
Emphasise the risks of re-using passwords across work and home accounts. Help users to choose passwords that are difficult to guess. Help users to prioritise their high value accounts. Consider making your training applicable to their personal lives.
#leighonsea #essexbusiness #essex #essexnetworking #itsupport #itsupportessex #cloudsolutions #galacticait #galactica #itsupportspecialist #itsupportservices #itsupportlondon #southendonsea #southendonseabusiness #cloudsolutionprovider #microsoft #microsoft365 #microsoftazure