Passwords- 7 Security Tips- from GCHQ

security advice for passwords

Tip 1: Change all default passwords

  •  Change all default passwords before deployment.
  • Carry out a regular check of system devices and software, specifically to look
    for unchanged default passwords.
  • Prioritise essential infrastructure devices.

Tip 2: Help users cope with password overload

  • Users have a whole suite of passwords to manage, not just yours.
  • Only use passwords where they are really needed.
  • Use technical solutions to reduce the burden on users.
  • Allow users to securely record and store their passwords.
  • Only ask users to change their passwords on indication or suspicion of compromise.
  • Allow users to reset passwords easily, quickly and cheaply.
  • Do not allow password sharing.
  • Password management software can help  users, but carries risks.

Tip 3: Understand the limitations of user generated passwords

  • Put technical defences in place so that simpler password policies can be used.
  • Reinforce policies with good user training.
  • Steer users away from choosing predictable passwords, and prohibit the
    most common ones by blacklisting.
  • Tell users that work passwords protect important assets; they should never reuse passwords
    between work and home.
  • Be aware of the limitations of password strength meters.

Tip 4: Understand the limitations of machine generated passwords

  • Choose a scheme that produces passwords that are easier to remember.
  • Offer a choice of passwords, so users can select one they find memorable.
  • As with user-generated passwords, tell users that work passwords protect important assets; they should never reuse
    passwords between work and home.

Tip 5: Prioritise administrator and remote user accounts

  • Give administrators, remote users and mobile devices extra protection.
  • Administrators must use different passwords for their administrative and non-administrative accounts.
  • Do not routinely grant administrator privileges to standard users.
  • Consider implementing two factor authentication for all remote accounts.
  • Make sure that absolutely no default administrator passwords are used.

Tip 6: Use account lockout and protective monitoring

  • Account lockout and ‘throttling’ are effective methods of defending bruteforce attacks.
  • Allow users around 10 login attempts before locking out accounts.
  • Password blacklisting works well in combination with lockout or throttling.
  • Protective monitoring is also a powerful defence against brute-force attacks, and
    offers a good alternative to account lockout or throttling.
  • When outsourcing, contractual agreements should stipulate how user
    credentials are protected.

Tip 7: Don’t store passwords as plain text

  • Never store passwords as plain text.
  • Produce hashed representations of passwords using a unique salt for each
  • Store passwords in a hashed format, produced using a cryptographic function
    capable of multiple iterations (such as SHA 256).
  • Ensure you protect files containing encrypted or hashed passwords from
    unauthorised system or user access.
  • When implementing password solutions use public standards, such as PBKDF2,
    which use multiple iterated hashes.

Comments are closed.