Password guidance summary: how to protect against password-guessing attacks

Serviceteam IT Security News

Recently, the NCSC have seen an increase in a number of incidents, and also more press reporting around historic password compromises. In light of this, we’re taking this opportunity to summarise the salient points from our password guidance that relate specifically to how you can protect against password-guessing attacks.

  • If attackers are able to access your systems remotely by guessing users’ passwords, then those systems are not effectively protected; don’t blame the users in this situation.
  • Forcing regular password resets is counter-productive, but that doesn’t mean they’re never needed. Make sure your users know how to reset their passwords when this is necessary, and help them pick hard-to-guess passwords.
  • Prevent password-guessing attacks by setting up multi-factor authentication for your users on all the enterprise services used across your organisation. Encourage your users to do the same for their personal services. All major providers have advice on how to do this (see below), or your IT staff can help.

 

Remind your users to:

  • Always use unique passwords for your work accounts. Always change them immediately, and report it, if you think they may have been compromised or you notice anything else suspicious.
  • Store your passwords rather than trying to remember them all. This enables you to use longer, stronger, unique passwords and change them whenever you want, without making life too hard for yourself. There are two ways you can do this:
    • Use a password manager. These can easily create and maintain long, complex, unique passwords for every service you use. Read our blogpost on password managers to help you pick a reputable product, and use it in accordance with any instructions provided by your IT staff.
    • Alternatively, write your passwords down on a piece of paper that you guard very carefully (and keep separate from the devices they relate to). Disguise them if you can, and don’t write your usernames alongside the passwords.
       
  • When creating passwords, make sure they can’t be easily guessed by people who know you, or derived from information gleaned from your social media profiles. Avoid the use of single dictionary words, or variations of these – use three random words instead. Don’t bother replacing the letter ‘O’ with a zero (or replacing the letter ‘I’ with the number one) or any other techniques as hackers can exploit these rules.

Where to get extra help

For more information, please see the NCSC’s guidance on passwords for system administrators.

Source: NCSC

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

/by
You might also like
Serviceteam IT Security News Cisco Warns of Critical Vulnerability Revealed in ‘Vault 7’ Data Dump
Serviceteam IT Security News SaaS security – surely it’s simple?
Serviceteam IT Security News I'll make you an offer you can't refuse…
Serviceteam IT Security News Massive Smominru Cryptocurrency Botnet Rakes In Millions
Serviceteam IT Security News I'm gonna stop you, little phishie…
Serviceteam IT Security News Avoiding phishing attacks