OUR ADVICE ON PASSWORDS
Strong password policies are essential for keeping organisations secure and protect against various threats, including unauthorised access and hacking.
While most password policies require regular changes, typically with passwords that are lengthy and random, we recommend a different approach. We advise both our employees and customers to create strong passwords that combine uppercase letters, numbers and special characters, however we do not mandate regular password changes for multiple reasons.
The National Cyber Security Centre (NCSC) believe that it’s more of a security risk to actively force users to change their passwords. They summarise it perfectly, “It’s one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack”.
This is also reinforced by the National Institute of Standards and Technology (NIST). They state that “contrary to popular belief and prior standards, NIST does not suggest frequent password changes”. They explain “individuals who are asked to change passwords frequently are much more likely to reuse an old password and merely append a number, letter, or special character to the end of it”. Experienced hackers know this trick and can predict minor changes. Moreover, if a previous password has already been compromised, any derivations of that password, including singular changes to characters, are more easily breached in the future.
Here at Pentagull, we have introduced Single Sign-On (SSO) to further enhance security. With SSO, users only require one set of credentials to access multiple systems, reducing the number of passwords required which could potentially be compromised. In addition, Single Sign-On only uses one trusted identity provider to authenticate users. This centralisation results in security protocols being more robust with advanced measures, such as multifactor authentication (MFA) being adopted for an extra layer of security.
On ESB, we have system monitoring tools which provide useful information, such as the last successful login of a user and the most recent date their password was changed. With this information we can inform users if we believe their account has been compromised, or simply ask the question to ensure it was them.
For more information please read what the NCSC say regarding frequent password changes.