Password policies and protection

 Password policies and protection 

 

Passwords for protecting sensitive information 

In most cases, passwords can be used to protect sensitive information from unauthorised viewing. This can be through password protected files/directories, cloud access accounts or password protected storage drives and PCs. The company must ensure that staff who set their own passwords abide by a robust and secure password policy and follow confidentiality requirements at all times. 

 

What is a password policy? 

A password policy is a set of rules required by a system or application when the user is setting a password. These rules are mandatory to maintain the safety and security of the data it is protecting.  

 

Why are password policies important? 

Password policies are designed to reduce the risk of a brute force attack on the system that it is protecting. Brute forcing is when an attacker can guess a password, usually by using a wordlist of common computer passwords. By enforcing password policies like adding symbols, numbers and capitalisation, brute forcing becomes much less effective and slower, if not impossible with current technology. A downside with password policies is that it can put an unrealistic demand on users who may be tempted to reuse passwords or write them down where they can be stolen by attackers. 

 

Examples of password policies 

The NCSC does not require a password policy to be in place, however they do recommend steps to mitigate the risk of password breaches whilst managing password overloading on users. 

    • Reduce the reliance of passwords in the organisation – companies should become less reliant on passwords and expand on using other authentication methods like biometrics. 
    • Implement technical defence systems – by using account throttling, password blacklists and monitoring, businesses can ensure that brute force attacks can be identified and defended against. 
    • Protecting passwords – passwords should be encrypted or hashed when in transit and stored on a system which will mitigate the risk of the passwords being breached by bad actors. 
    • Balance password overloading – the NCSC recommends that users only change their passwords when there has been a suspected breach due to the fact that breached passwords are exploited immediately. 
    • Password complexity – by generating passwords containing a randomly generated sequence of characters and storing them with a password manager is the best way to defend against brute forcing. 

Even though the NCSC does not recommend password complexity requirements due to the risk of password overloading on users, basic requirements should be enforced to deter employees from setting predictable passwords. The UK government recommends that: 

    • Passwords must be at least 8 characters long. 
    • They should not have a maximum length. 
    • Password restrictions should be communicated to users. 
    • Commonly used passwords should be disallowed. 

Microsoft recommends to users that: 

    • Passwords should be 12-14 characters long. 
    • Passwords should use uppercase and lowercase letters. 
    • Passwords should contain symbols. 
    • Passwords should contain numbers. 
    • The password should not be a word that can be found in the dictionary or a name. 
    • The password is significantly different from all the other passwords the user has. 

 

Password managers 

A password manager is a software system used to store user’s passwords in an easy and secure manner. By using password managers, password overloading on users can be dramatically reduced as all their passwords are safely stored for them. It reduces the risk of employees writing passwords down to remember them or using easy-to-guess passwords. Some examples of password managers are: 

    • NordPass 
    • RoboForm 
    • Dashlane 
    • BitWarden 

These password managers all use advanced encryption standard (AES) to encrypt the stored passwords. This encryption algorithm is highly advanced and almost impossible for hackers to crack. 

 

Social engineering 

Due to password managers being so secure, attackers resort to other ways of obtaining passwords from victims. A very common method is using social engineering techniques such as phishing. This is when the victim is sent an illegitimate message or email containing a false story written to trick the victim into giving away sensitive information. The best way to defend against social engineering attacks is employee training and awareness on how to recognise and report malicious attempts. 

Comments

Post a Comment

Popular posts from this blog

OSA Assignment 1 - Task 3 GUIDE

Image
  OSA Assignment 1 – Task 3 Guide     Exam parameters   Time length – 5 hours (2x 2 ½ sessions)   Marks available – 28     Task 3: Design – Communication Equipment   In this task you are required to submit :   A technical proposal covering the switches, wireless infrastructure and specifications   Justification of planned network architecture and considerations for security, resilience, performance and redundancy   Evidence print screens   Annotated floor plan/network diagram     Technical Proposal   The technical proposal in task 3 follows a similar format as task 2. It's another large document detailing the requirements and recommendations for the company. In task 3, however , it should discuss communication and other digital equipment such as switches, CCTV and APs.   You should recommend multiple hardware solutions and justify between them.   Here are some examples of tables and information ...
Read more

OSA Assignment 1 - Task 1 GUIDE

  OSA Assignment 1 – Task 1 Guide     Exam parameters   Time length – 3 hours   Marks available – 20     Task 1: Planning   In this task you are required to submit :   A project plan   Gantt chart showing th e critical path   Explanation of legal requirements   Physical and digital threat countermeasures   Annotated floor plan     Gantt Chart   The Gantt Chart is the first document you should create. This details each phase of the project alongside the timescale to complete it.   Ensure you make a note of the deadline for the project along with any pre-requisites such as cabling. This should all be implemented into your Gantt Chart.   You can follow a layout like this:   Project:   Pre considerations (Gathering project timescale, risk assessments, ...)   Planning (Devising project plan, identifying budget, ...)   Design (Research hardware, identify topology, ...)   Pre ...
Read more

OSA Summer 2023 Mock - Task 1, Assignment 1

Image
  OSA Summer 2023 Mock – Task 1           Legal requirements   The company must ensure they are compliant with the correct legislation whilst the project is undertaken.   If any person is working at height, the correct safety measures to prevent injury or death must be imposed under The Work at Height Regulations 2005. They must have an appropriate safety harness on and hazardous areas at height should be i dentified in the risk assessment.   By storing data internally on a local file server, the business is responsible for maintaining the confidentiality, availability and integrity of that data. They must comply with The Data Protection Act 2018 and General Data Protection Regulations.   Display screen equipment regulations (DSE) should be considered when installing workstations. Ergonomic and posture-friendly chairs should be installed and employees given appropriate breaks from working around screens.     Data p...
Read more