Guidelines are based on scientific sources.
| Name | Password Guidance: Simplifying Your Approach |
| Sources | (National Cyber Security Centre (NCSC), 2016) |
| Synonyms | None |
| Context | Advice for determining password policies in software systems |
| Item 1 | Change all default passwords a) “Change all default passwords before deployment.” b) “Carry out a regular check of system devices and software, specifically to look for unchanged default passwords.” c) “Prioritise essential infrastructure devices.” |
| Item 2 | Help users cope with password overload a) “Users have a whole suite of passwords to manage, not just yours.” b) “Only use passwords where they are really needed.” c) “Use technical solutions to reduce the burden on users.” d) “Allow users to securely record and store their passwords.” e) “Only ask users to change their passwords on indication or suspicion of compromise.” f) “Allow users to reset passwords easily, quickly and cheaply.” g) “Do not allow password sharing.” h) “Password management software can help users, but carries risks.” |
| Item 3 | Understand the limitations of user-generated passwords a) “Put technical defences in place so that simpler password policies can be used.” b) “Reinforce policies with good user training. Steer users away from choosing predictable passwords, and prohibit the most common ones by blacklisting.” c) “Tell users that work passwords protect important assets; they should never re-use passwords between work and home.” d) “Be aware of the limitations of password strength meters.” |
| Item 4 | Understand the limitations of machine-generated passwords a) “Choose a scheme that produces passwords that are easier to remember.” b) “Offer a choice of passwords, so users can select one they find memorable.” c) “As with user-generated passwords, tell users that work passwords protect important assets; they should never re-use passwords between work and home.” |
| Item 5 | Prioritise administrator and remote user accounts a) “Give administrators, remote users and mobile devices extra protection.” b) “Administrators must use different passwords for their administrative and non-administrative accounts.” c) “Do not routinely grant administrator privileges to standard users.” d) “Consider implementing two factor authentication for all remote accounts.” e) “Make sure that absolutely no default administrator passwords are used.” |
| Item 6 | Use account lockout and protective monitoring a) “Account lockout and ‘throttling’ are effective methods of defending brute-force attacks.” b) “Allow users around 10 login attempts before locking out accounts.” c) “Password blacklisting works well in combination with lockout or throttling.” d) “Protective monitoring is also a powerful defence against brute-force attacks, and offers a good alternative to account lockout or throttling.” e) “When outsourcing, contractual agreements should stipulate how user credentials are protected.” |
| Item 7 | Don’t store passwords as plain text a) “Never store passwords as plain text.” b) “Produce hashed representations of passwords using a unique salt for each account.” c) “Store passwords in a hashed format, produced using a cryptographic function capable of multiple iterations (such as SHA 256).” d) “Ensure you protect files containing encrypted or hashed passwords from unauthorised system or user access.” e) “When implementing password solutions use public standards, such as PBKDF2, which use multiple iterated hashes.” |
| Examples | None |
| Related Guidelines | Designing Graphical Authentication Mechanism Interfaces Graphical Passwords on Smartphones Guidelines for successful authentication NIST SP 800-63-3: Digital Identity Guidelines |
| Tags | passwords |
| Log history | [01/22/2019]: Added to repository |
National Cyber Security Centre (NCSC), 2016. Password guidance: Simplifying your approach [WWW Document]. URL https://www.ncsc.gov.uk/guidance/password-guidance-simplifying-your-approach (accessed 1.21.19).