The NCSC (National Cyber Security Centre) provided guidance for Systems Administrators to simplify their approach to passwords. This guidance is not mandatory, but rather recommendations to eliminate the risk of breaches due to weak passwords on a company network. Furthermore, NCSC’s guidance is intended to reduce the daunting task of users having to recall complex password requirements. From an initial standpoint, NCSC resembles NIST compliance. NIST compliance’s general concept is to eliminate complex passwords by requiring longer passwords. In other words, they would prefer for users to create a password like I ate watermelon for breakfast than monkey#BUSINESS!57. For more information about NIST, click here.
For background knowledge, NCSC is a part of the GCHQ (Government Communications Headquarters). GCHQ is partners with Secret Intelligence Services (MI6) and MI5. The ultimate goal of both NCSC and GCHQ is to keep people safe.
The NCSC password security guidance begins with how passwords are cracked. According to NCSC, passwords are cracked by: interception, brute force, searching, stealing passwords, manual guessing, shoulder surfing, social engineering, and key logging. Here are descriptions for what each method means:
- Interception: A hacker can intercept a password as it is being transmitted across a network.
- Brute Force: A hacker uses a software that will automatically guess millions of passwords until the correct password is found or the list is exhausted.
- Searching: A hacker can search the IT infrastructure for stored password information.
- Stealing Passwords: A hacker would use information provided that is insecurely stored. For example, a password might be written on a notecard next to a computer.
- Manual Guessing: A hacker would guess passwords until the correct password is found. Usually, personal information and commonly hacked passwords are used for the guessing tactics.
- Shoulder Surfing: A hacker would watch a user as the password is typed into the computer.
- Social Engineering: A hacker would use tactics to trick a user into revealing their password. An example of this would be a phishing attempt via email.
- Key Logging: A hacker would install a device which intercepts the password as it is typed into the computer.
Finally, the NCSC provides guidance on how to improve your company’s system security. Here are a few key tips for success:
- Blacklist commonly used passwords.
- Monitor failed login attempts and have a procedure in place to report any abnormal activity.
- Prioritize passwords for administrator and remote user accounts.
- Never store passwords in plain text format.
- Change default vendor supplier account passwords before new software is deployed.
- Use account lockout features to prevent brute force password attacks.
Many of these tips can be easily obtained with internal systems as well as a Windows Password Filter, more specifically the nFront Password Filter.