Author: Jon Trickey, Information security officer
“Change your password regularly” is a frequently heard piece of password advice. However, enforcing password expiry can result in users making small, predictable changes to their existing password (for example, winter2021 > spring2022), rather than choosing an entirely new one.
This has the opposite effect to the one intended, weakening rather than strengthening their security. The National Cyber Security Centre (NCSC), the National Institute of Science and Technology (NIST) and Microsoft all now no longer recommend enforcing regular password expiry.
Passwords should always be changed if there is any indication of compromise, but forcing an arbitrary change of a strong, unique password in the absence of any evidence of a need to do so is no longer recommended.
Other very dangerous password practices include using a weak, common, easily guessed password and re-using the same password across multiple sites and services.
These bad habits expose accounts to automated brute force attacks. Password spraying attacks seek access to accounts by using lists of commonly used passwords. Credential stuffing attacks use a password (as obtained via a data breach or phishing email) known to be valid for one account to attempt to access that individual’s other accounts.
While the success rates of these attacks may seem low, the availability of automated tools and the volume of account information that can be obtained make them very attractive to attackers: a success rate of 1% against a set of 100,000 stolen account details still returns around 1,000 successfully compromised accounts.
These attack techniques underline the importance of helping people make informed decisions about passwords and password practices.
Here I will attempt to lay out how Jisc guides users to make better decisions on password management, as well as what our systems are doing behind the scenes to enforce policy decisions.
What is our advice internally?
The advice on passwords has been consistent for some time with the NCSC’s #thinkrandom campaign in 2016, still in play – passwords should be long, memorable and therefore, unlikely to be used by someone else. By having a strong and memorable Active Directory (AD) password with multi factor authentication (MFA) enabled, and by trying to use systems that can integrate with AD using single sign on (SSO), we cover most bases. For everything else, we recommend using a password manager.
So, when should a password be changed? We only suggest this if you suspect it’s been compromised. This could be from a successful phishing attempt or an alert from a password compromise service or an alert a user has submitted their credentials to a potential phishing site.
How do we help our users?
Single Sign On (SSO) is an effective way of reducing the need for multiple passwords. Our trust and identity team did a great job of detailing why in their Six problems solved by single sign-on in colleges and universities blog from Oct 2021.
The information security team also receive alerts from HaveIBeenPwned for the jisc.ac.uk domain to help identify when our users’ passwords have been compromised. This enables us to reach out to users and reset their password quickly.
To help users pick good passwords, Microsoft’s AzureAD password protection has a built in global banned list to cover off the most commonly used and known passwords. This list is actually an algorithm that not only covers those passwords, but also their variants and common 5ub5t1tut10n5. There’s also a feature within AzureAD that lets us add words into the banned list should we wish to help cover off more targeted attacks. The guidance on that covers things like company name, locations and internal terms or abbreviations.
In addition to these measures, we also limit the number of failed login attempts for an account. Should somebody attempt to login and fail a number of times, the account gets blocked and our service desk will reach out to the user to verify it was them and reset their password if needed.
Should we try and ban ALL known compromised passwords? No, the long tail of passwords not covered by the AAD password protection is unlikely to be used in spraying attacks so we can focus on stuffing. Better passwords with MFA, user awareness, monitoring for likely compromised passwords and proactively disabling compromised passwords all improve our posture against stuffing.
Passwords are here to stay, at least for the moment so we need to make sure we’re following the latest guidance on how to use them from both a technological and human perspective.
Users are central to password management so make it easy for them to choose and use strong passwords.
- Provide advice and training on what makes a strong password
- Implementing assistive technology that works with the user to manage their password and reduce the strain on them to remember too many (MFA, SSO, password manager etc)