Tip 4: Help users cope with password overload
Users have traditionally been told to remember passwords, and to not share them, re-use them, or write them down. The problem with this is that the typical user has dozens of passwords to remember – not just yours. To cope with this overload, users resort to workarounds, such as reusing passwords, insecure storage or predictable passwords. This section explains how your organisation can provide sanctioned mechanisms to help users manage passwords, so there's less incentive to adopt insecure workarounds.
Use password management software or other secure storage
You should provide appropriate facilities to store passwords. The NCSC recommend the use of password managers for secure storage wherever appropriate. As well as providing secure storage, password managers can help users by generating and auto-filling passwords when required. We recommend that all online services permit the use of password managers, and that users should be allowed to paste passwords into web forms. However, like any piece of security software, password managers are not impregnable and are an attractive target for attackers. For more information, refer to the NCSC Password Manager Buyers Guide.
If a password manager is not suitable you should provide physical storage for recorded passwords such as a secure cabinet. You may also need secure storage for MFA tokens. This should be separate from the stored password.
Don't enforce regular password expiry
Regular password changing harms rather than improves security. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user and there are costs associated with recovering accounts.
Forcing password expiry carries no real benefits because:
- the user is likely to choose new passwords that are only minor variations of the old
- stolen passwords are generally exploited immediately
- resetting the password gives you no information about whether a compromise has occurred
- an attacker with access to the account will probably also receive the request to reset the password
- if compromised via insecure storage, the attacker will be able to find the new password in the same place
Instead of forcing expiry, you should counter the illicit use of compromised passwords by:
- ensuring an effective movers/leavers process is in place
- automatically locking out inactive accounts
- monitoring logins for suspicious behaviour (such as unusual login times, logins using new devices)
- encouraging users to report when something is suspicious
You can also mitigate the risk of compromised accounts by using MFA, which will make a compromised password less useful to an attacker. Some MFA methods (such as SMS or email notifications) can even warn the user that they have been compromised, as they will receive a code when they did not request it. If you are using this form of MFA, you should encourage users to report this behaviour through your training.
Note: Users must change their passwords when you know (or suspect) it has been compromised.
Managing shared access
Sharing work accounts, or even occasional use by anyone other than the account holder, introduces a number of risks. As well as the possibility of users gaining access to unauthorised resources, sharing accounts negates the benefit of authenticating a specific user. In particular, the ability to audit and monitor a specific user’s actions is lost, an essential forensic requirement for some accounts.
If passwords are being shared, try and find alternative solutions that support the business need for sharing. For example, many accounts will have a way to delegate privileges to another account (such as access to a document or inbox). Delegation should be used instead of sharing accounts wherever possible.
If alternatives are not possible, and there remains a strong business need for shared access to an account or device, then access to the password should be monitored and continually reviewed to manage the risk:
- the password should only be shared within the smallest possible group of known and trusted users
- the password should not be exposed to users who do not have permission to access it
- if someone is no longer allowed access, the password should be changed
Some password managers allow users to share passwords in a more secure way (for example, they can audit access to the password and automatically sync password changes). If you have a business need to share a password, then consider using a password manager to do this.
In summary
- Users have a whole suite of passwords to manage, not just yours.
- Allow users to securely store their passwords.
- Only ask users to change their passwords on indication or suspicion of compromise.
- Use delegation tools instead of password sharing.
- Where there's a pressing business requirement to share passwords, use additional controls to provide the required oversight.