Password advice is changing
CESG and CPNI are two UK Government agencies focussing on helping the UK to improve the defences against Cyber and other attacks on our data, information and infrastructure. Together they have produced a document 'Password Guidance' which aims to help businesses and organisations to simplify their approach to passwords. There is further information about CESG & CPNI below.
The guidance paper acknowledges the everyday challenges faced by users of retaining often long passwords for many different systems they wish to access and a number of tips are offered and summarised as follows: -
- Change all default passwords - this includes software and system devices especially Internet facing systems such as firewalls.
- Help users cope with password overload - use technology to reduce the burden
- Understand the limitations of user-generated passwords - training on how to create passwords and using machine generated passwords
- As above there are also limitations to machine generated passwords - too complex to remember but alternatives can work
- Prioritise administrator and remote user accounts - given the privileges and vulnerabilities of these accounts respectively, extra attention is required
- Use account lockout and protective monitoring can reduce the success of hackers
- Don't store passwords as plain text - still very prevalent and allows access on a larger scale if breached.
The full name of CESG (Communications Electronics Security Group) is not that helpful in understanding what the group does namely that the UK: -
- can secure Government interactions online with citizens, as part of the UK Government Digital Strategy
- has the capability and capacity needed to manage cyber security risks
- can maintain UK sovereignty by protecting sensitive material from hostile threats
- has a resilient national infrastructure
CPNI stands for the Centre for the Protection of National Infrastructure