Easy to Implement Measures for Improved Password Security  

For many years, regular password change has been held as the best-practice approach to maintaining password security, stemming from the idea that if passwords are frequently changed, this will decrease the probability of an attacker being able to exploit a password they have discovered. However, this approach can, in fact, increase the possibility of passwords and accounts becoming compromised.   

Flawed Password Policies  

In many organisations, it is policy for employees and/or users to regularly come up with new passwords (perhaps every 30, 60 or 90 days). Individuals are also advised to come up with a different password for each system they access, and to make these passwords incredibly complex. Usually, they will be advised to set their password as a random string of letters, numbers, and special characters.  

Remembering multiple passwords made up of meaningless strings of characters which change frequently, is, of course, almost impossible. As a result of these overly stringent policies, users will often write their passwords down (making them more susceptible to theft or compromise), or disregard some of the rules. For example, a user may try and make them as simple as possible or similar to previously used passwords, weaknesses that cyber criminals can take advantage of.  

NCSC Guidance 

The National Cyber Security Centre provides clear advice and guidance around passwords. Some of their key suggestions are: 

Educate your staff: 

• Emphasise the risks associated with re-using passwords across home and work accounts 
• Help users to select difficult to guess passwords 
• Provide guidance on the prioritisation of high-value accounts 
• Make your training applicable to users’ work and personal lives. 

Reduce password reliance: 

• Consider alternative means such as single sign-on (SSO), hardware or biometric solutions 
• Use 2 factor authentication (2FA) or multi-factor authentication (MFA) for important accounts and Internet-facing systems 

Implement technical solutions: 

• Lock users out of their account after a succession of (5-10) failed attempts, preventing brute force attacks  
• Introduce ‘password blacklisting’ to prevent common passwords being used 
• Use application programming interface (API) throttling to defend against brute force attacks. 

If you must use a password: 

• Consider using three random words, such as blueduckegg or 5blue!duck-egg  
• Use built in password generators when using password managers 
• Avoid complexity requirements and passwords that are too short 
• Don’t include character ‘capping’ on password lengths. 

Our Advice 

We at URM recommend that, rather than relying on passwords to maintain security, you should consider using technological solutions wherever possible, such as SSO, 2FA and MFA, as these are much more effective methods for protecting users’ accounts against malicious hackers. Using biometrics, hardware tokens, and password managers are also helpful for reducing password reliance.  

Password blacklists which prevent users from utilising common or easily guessed passwords, such as password, qwertyuiop, 12345, etc., can also help mitigate the risk of passwords being compromised. You should also consider implementing a system lockout/timeout following too many incorrect password entries, which would alert system administrators if too many unsuccessful login attempts are made.  

There are also measures you can take on a personnel level to decrease the likelihood of your employees being subject to a password breach. For example, you should regularly train and educate your stuff to make sure they understand that having easy to guess, short or recycled passwords is risky and can lead to their accounts being hacked or otherwise compromised. This will ensure that they are not only aware of the measures they can take to keep their accounts secure, but also of their responsibility to take reasonable precautions against password breaches in their digital practices.