Recently, the NCSC have seen an increase in a number of incidents, and also more press reporting around historic password compromises. In light of this, we're taking this opportunity to summarise the salient points from our password guidance that relate specifically to how you can protect against password-guessing attacks.
- If attackers are able to access your systems remotely by guessing users’ passwords, then those systems are not effectively protected; don’t blame the users in this situation.
- Forcing regular password resets is counter-productive, but that doesn’t mean they’re never needed. Make sure your users know how to reset their passwords when this is necessary, and help them pick hard-to-guess passwords.
- Prevent password-guessing attacks by setting up multi-factor authentication for your users on all the enterprise services used across your organisation. Encourage your users to do the same for their personal services. All major providers have advice on how to do this (see below), or your IT staff can help.
Remind your users to:
- Always use unique passwords for your work accounts. Always change them immediately, and report it, if you think they may have been compromised or you notice anything else suspicious.
- Store your passwords rather than trying to remember them all. This enables you to use longer, stronger, unique passwords and change them whenever you want, without making life too hard for yourself. There are two ways you can do this:
- Use a password manager. These can easily create and maintain long, complex, unique passwords for every service you use. Read our blogpost on password managers to help you pick a reputable product, and use it in accordance with any instructions provided by your IT staff.
- Alternatively, write your passwords down on a piece of paper that you guard very carefully (and keep separate from the devices they relate to). Disguise them if you can, and don't write your usernames alongside the passwords.
- When creating passwords, make sure they can't be easily guessed by people who know you, or derived from information gleaned from your social media profiles. Avoid the use of single dictionary words, or variations of these - use three random words instead. Don’t bother replacing the letter 'O' with a zero (or replacing the letter 'I' with the number one) or any other techniques as hackers can exploit these rules.
Where to get extra help
For more information, please see the NCSC’s guidance on passwords for system administrators.