Passwords- 7 Security Tips- from GCHQ
Tip 1: Change all default passwords
- Change all default passwords before deployment.
- Carry out a regular check of system devices and software, specifically to look
for unchanged default passwords.
- Prioritise essential infrastructure devices.
Tip 2: Help users cope with password overload
- Users have a whole suite of passwords to manage, not just yours.
- Only use passwords where they are really needed.
- Use technical solutions to reduce the burden on users.
- Allow users to securely record and store their passwords.
- Only ask users to change their passwords on indication or suspicion of compromise.
- Allow users to reset passwords easily, quickly and cheaply.
- Do not allow password sharing.
- Password management software can help users, but carries risks.
Tip 3: Understand the limitations of user generated passwords
- Put technical defences in place so that simpler password policies can be used.
- Reinforce policies with good user training.
- Steer users away from choosing predictable passwords, and prohibit the
most common ones by blacklisting.
- Tell users that work passwords protect important assets; they should never reuse passwords
between work and home.
- Be aware of the limitations of password strength meters.
Tip 4: Understand the limitations of machine generated passwords
- Choose a scheme that produces passwords that are easier to remember.
- Offer a choice of passwords, so users can select one they find memorable.
- As with user-generated passwords, tell users that work passwords protect important assets; they should never reuse
passwords between work and home.
Tip 5: Prioritise administrator and remote user accounts
- Give administrators, remote users and mobile devices extra protection.
- Administrators must use different passwords for their administrative and non-administrative accounts.
- Do not routinely grant administrator privileges to standard users.
- Consider implementing two factor authentication for all remote accounts.
- Make sure that absolutely no default administrator passwords are used.
Tip 6: Use account lockout and protective monitoring
- Account lockout and ‘throttling’ are effective methods of defending bruteforce attacks.
- Allow users around 10 login attempts before locking out accounts.
- Password blacklisting works well in combination with lockout or throttling.
- Protective monitoring is also a powerful defence against brute-force attacks, and
offers a good alternative to account lockout or throttling.
- When outsourcing, contractual agreements should stipulate how user
credentials are protected.
Tip 7: Don’t store passwords as plain text
- Never store passwords as plain text.
- Produce hashed representations of passwords using a unique salt for each
- Store passwords in a hashed format, produced using a cryptographic function
capable of multiple iterations (such as SHA 256).
- Ensure you protect files containing encrypted or hashed passwords from
unauthorised system or user access.
- When implementing password solutions use public standards, such as PBKDF2,
which use multiple iterated hashes.