Security Corner

Sep 30 2015   7:14PM GMT

Password guidance from Britain’s CPNI

Ken Harthun Ken Harthun Profile: Ken Harthun

Tags:
Password management
Password policies
Passwords
Security

Britain’s Centre for the Protection of National Infrastructure (CPNI), which works with General Communications Headquarters (GCHQ), recently issued a publication “Password Guidance – Simplifying Your Approach.” I found the 13-page PDF document interesting because it provides guidance on simplifying things at a system level rather than asking users to remember complicated passwords. It also says that regular password changing as a policy is not a good thing:

Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.

But how do you prevent users from using common passwords? Simple: Blacklist the most common passwords (I’ll be writing about this later). I would include code to check to see if user name or company name or other common strategies are used and refuse to accept them.

I won’t elaborate further; you can read the document and glean from it what you will. However, here is the list of tips. A couple of them offer a different view. It’s definitely worth your time to download and read this whole thing.

  • Change all default passwords
  • Help users cope with password overload
  • Understand the limitations of user-generated passwords
  • Understand the limitations of machine-generated passwords
  • Prioritise administrator and remote user accounts
  • Use account lockout and protective monitoring
  • Don’t store passwords as plain text

And finally, here is a very nifty infographic: Password guidance – infographic

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: