Guidance

Password guidance summary: how to protect against password-guessing attacks

Created:  28 Jun 2017
Updated:  28 Jun 2017
Jumble of letters
How organisations and individuals can protect themselves from password-guessing attacks.

Recently, the NCSC have seen an increase in a number of incidents, and also more press reporting around historic password compromises. In light of this, we're taking this opportunity to summarise the salient points from our password guidance that relate specifically to how you can protect against password-guessing attacks.

 

Remind your users to:

  • Always use unique passwords for your work accounts. Always change them immediately, and report it, if you think they may have been compromised or you notice anything else suspicious.
  • Store your passwords rather than trying to remember them all. This enables you to use longer, stronger, unique passwords and change them whenever you want, without making life too hard for yourself. There are two ways you can do this:
    • Use a password manager. These can easily create and maintain long, complex, unique passwords for every service you use. Read our blogpost on password managers to help you pick a reputable product, and use it in accordance with any instructions provided by your IT staff.
    • Alternatively, write your passwords down on a piece of paper that you guard very carefully (and keep separate from the devices they relate to). Disguise them if you can, and don't write your usernames alongside the passwords.
       
  • When creating passwords, make sure they can't be easily guessed by people who know you, or derived from information gleaned from your social media profiles. Avoid the use of single dictionary words, or variations of these - use three random words instead. Don’t bother replacing the letter 'O' with a zero (or replacing the letter 'I' with the number one) or any other techniques as hackers can exploit these rules.

 

Where to get extra help

For more information, please see the NCSC’s guidance on passwords for system administrators.

 

 

Was this guidance helpful?

We need your feedback to improve this content.

Yes No