October 18, 2016
This guidance was originally published on 21 September 2016 as part of NCSC's Password Collection. Original article begins below.
How to help your end users manage their passwords, with additional practical steps to improve your system security. This guidance focuses on the end user (rather than the system owner responsible for determining password policy). It describes how you can help your end users to manage their passwords, and provides further practical steps to improve system security.
Giving users a much smaller set of things to do makes it much more likely that they will do them successfully, thus achieving the security benefits you hope for from successful password management.
1. Make it easy for users to safely store their passwords
The typical user has dozens of passwords to remember, and inevitably users WILL write passwords down even if you ask them not to. So, ensure it is easy for users to safely store their passwords, so they don't have to resort to sticky notes on the monitor or under the keyboard.
Storage could be physical (for example secure cabinets) or technical (such as password management software), or a combination of both. If it's your policy to allow users to write their passwords down, explain the policy and provide appropriate facilities (in this example, tamper-evident envelopes).
Your policy should also consider the needs of mobile users who will be using passwords in riskier locations than your normal offices. They must know:
- how to store, access, change and reset passwords remotely
- how to store passwords separately from the devices they protect
- who they need to immediately report to if they lose a written password (or the device itself)
- who they need to immediately report to if they suspect the password has been compromised (e.g., by shoulder-surfing in a public location)
2. Consider using password management software
If it's your policy to allow password management software, choose and install a product and then explain to users how to use it.
Password managers (like any other piece of software) may be compromised, so consider the risks. Tell users that they should not store critical credentials (such as the details for administrator accounts) in password management software. Allowing users to store most of their (less important) passwords gives them greater capacity to remember the critical ones.
3. Ensure your password rules are simple to understand and to put into practice
If you have good technical defences in place, then your password policy shouldn't force users to waste effort creating and managing lots of complex passwords. Provided you ensure that users know the importance of not re-using their home passwords for work accounts, or using passwords that are easy to guess, then your guidance can move away from 'DO and DON'T' rules towards an approach that is easier for users to understand and follow.
For example, your guidance might state 'Make sure that somebody who knows you well couldn't guess your password in 20 attempts'.
4. Consider turning off regular password expiry
The cost of forcing users to regularly change their password outweighs any protection it might give. Users invariably use weaker passwords, making only minor changes to old passwords and burdening your helpdesk with password resets. Instead, consider telling your users that you are removing the need to renew passwords, so they can concentrate on the measures that do make a difference, such as:
- making sure passwords aren't easy to guess
- storing passwords in approved ways
- reporting unrecognised logins (or attempted logins), or unusual activity on their accounts
- changing passwords where compromise is evident or suspected
5. Protect your systems to protect your users
Your system's security should always rely more on effective technical defences than it does on 'correct' user behaviour.
For instance, it is important to tell your users about the dangers of phishing, but you cannot stop all successful phishing attacks by relying on users to detect and avoid them. Also, excessive individual penalties associated with falling for a phish might mean your users are too afraid to open legitimate emails — which will have business costs.
Focus instead on enacting good technical defences, ensuring users know how to spot common types of phishing emails, and where to report any emails or websites they are unsure about.
6. Assess how well your password policy and processes are working
If your organisation has an approved secure password storage policy but you're still finding passwords on sticky notes stuck under keyboards, then your policies and/or processes aren't working and you should try to find out why.For example, if you do keep coming across insecurely stored passwords, it might indicate that your users:
- find the process to securely store passwords is too demanding, impractical or takes too much time away from their normal duties
- have so many passwords that they are still using coping strategies
- are simply not aware of your guidance
Investigate and take action accordingly. By and large, users will do their best to comply with reasonable, workable security requirements. If you find problems, it's usually a sign that the IT policies or processes need fixing, not the people.