The increasing demands by employers and internet businesses for users of their systems/websites to use complicated passwords (often accompanied by “strength” gradings) and to change their passwords regularly has caused a number of problems. In particular it appears that many users simply write down their passwords in order to avoid forgetting them, use the same passwords on many systems and use easily predictable variants when asked to change passwords. This is potentially more of a threat to system security than having weaker passwords. In addition the fact that people now find it harder to remember passwords means that there are increased burdens on helpdesks and system support teams.
In order to address these issues the Centre for the Protection of National Infrastructure, the information security arm of GCHQ, has produced some guidance. It advocates a dramatic simplification of the current approach. The guidance includes many practical technical tips which, if followed, will bolster an organisation’s cyber security.
Tip 1: help users cope with password overload
A recent survey reported that UK citizens have an average of 22 online passwords each, far more than most people can remember. GCHQ have advised that regular password changing harms rather than improves security. Users tend to change only minor elements of a generally used password and so periodic changes make little to no difference. The guidance suggests that organisations only use passwords where they are really needed, that technical solutions are used to reduce the burden on users (rather than placing the onus on users) and that users are allowed to securely record and store their passwords and are only asked to change them if there is any indication or suspicion that the password has been compromised. The guidance also suggests that users should be allowed to reset passwords easily, quickly and cheaply.
Tip 2: understand the limitations of user-generated passwords
The use of technical controls to defend against automated guessing attacks (often referred to as ‘brute force’ attacks) is far more effective than relying on users to generate (and remember) complex passwords.
Tip 3: avoid machine-generated passwords
Tip 4: ensure that users are aware to never re-use passwords between work and home
Tip 5: use more technical defences
GCHQ recommends the use of account lockout (freezing a user’s account after a specific number of unsuccessful attempts), “throttling” (the use of time lags between unsuccessful log-in attempts) and the use of systems to detect and respond to malicious or abnormal user behaviour.
Tip 6: take additional steps to protect administrator and remote user accounts
Tip 7: change all default passwords
Organisations should ensure that default passwords on new hardware devices such as routers and Wi-Fi terminals are changed before they are installed. Factory-set default passwords that are left unchanged on internet capable and internet gateway devices are particularly vulnerable to being accessed by hackers.
Tip 8: ensure third parties are required to take the same security measures as you/your staff
Tip 9: do not store passwords as plain text
It is advisable to encrypt information, even if it is relatively unimportant. GCHQ specifically recommend “hashing and salting” (hashing being a cryptographic function which converts a plain text password into a “hash”, “salting” being the use of random data which is added to a password before hashing to protect against any hackers who are able to reverse the hashing process).
Criminals are increasingly using a variety of techniques to discover passwords such as social engineering (for example phishing), manual password guessing (for example using names, dates of birth and pet names), intercepting passwords as they are transmitted over networks, watching people who are typing in their passwords, using key loggers (to intercept passwords when they are entered on devices), looking on businesses’ IT systems for electronically stored password information, brute force attacks, locating insecurely stored passwords (such as those that have been written down) and attacking databases containing large numbers of passwords which they then use on other systems.
Poor password creation and storage are key culprits when it comes to data breaches and hacking. The guidance provides tips for best practice that, if applied, should reduce the number of successful hacks. Organisations handling data are likely to be required to implement appropriate security measures when the pending European Data Protection Regulation comes into force and this guidance is a helpful step towards establishing what “appropriate” could entail. Compliance with the guidance will not only protect businesses but will assist in defending claims and in demonstrating to insurers that businesses are taking suitable steps to protect themselves (which should assist businesses in both obtaining insurance cover and doing so at reasonable cost).
Tim Smith, BLM partner and head of technology, media and telecoms