How to strengthen your charity’s access control using a password policy and multi-factor authentication

Nov 16, 2023 | Cyber Essentials

Between the 6th and the 17th of November 2023, IASME will be working closely with the National Cyber Security Centre and participating Certification Bodies to educate charities about the cyber threat they face and to inform them about the benefits of Cyber Essentials. A package of support, advice and guidance has been put together along with a discount to the price of Cyber Essentials certification for registered charities to help them achieve Cyber Essentials.

One of the most common ways criminals gain unauthorised access to our information is to guess, steal or brute force our passwords. In this guidance piece, we explore how best to reduce this risk with a comprehensive and organisation-wide password policy and by enabling MFA.

Staff hate passwords

Password fatigue
A password is the access key to almost every digital device and online account you use. In today’s digital world, the average person has between 70-130 online accounts that require passwords.

Each password is supposed to be unique, long, and not linked to the details about your life (guessable). What’s more, we are told to store them securely, not to tell anyone and to change them if we suspect someone knows them.

Although, much welcomed technology is being developed that will one day cast the need for passwords into the history books, it is not yet widely available and it is still necessary for all organisations including charities to have good password hygiene backed up by policies and controls.

Please note that a written password policy is not an acceptable substitute for the Cyber Essentials controls. There needs to be technical measures in place to meet the requirements of the scheme.

Criminals love passwords

Stealing personal information such as usernames and passwords, bank account details and credit card numbers is incredibly profitable for criminals. They can send fraudulent emails from your account, make fraudulent purchases from your credit card, use your identity to take out loans and open new accounts and go on to launch other attacks against you. Criminals also profit from disrupting or re-routing websites, illegally tracking users and selling stolen credentials to other criminals. With the rise of online accounts, criminals have realised that they need to get hold of passwords to gain access to accounts and they have become very proficient at password harvesting.

The master plan for many cyber criminals is to discover as many passwords as they can in the shortest amount of time and then use computers to try matching passwords and user names on as many accounts as they can at the same time. According to Breach Alarm, 1 million passwords are stolen every week.

Attack proof your passwords

Based on the ways that we know attackers get your passwords, the following simple controls will help make the passwords used to access your charity data and services more resilient to cyber attack.

Have a clear password policy that applies to everyone in your organisation including volunteers, trustees and contractors.
This should include:

  • How to create good passwords using three random words or a random generated password created by a password manager. (Your password policy will specify which one and how to use it).

  • Accounts protected by a password alone need to ensure that the password has at least 12 characters (with no maximum length).

  • If an account has the additional protection of multi-factor authentication (MFA), the password needs to be at least 8 characters long with no maximum length.

  • Accounts that do not have MFA enabled, need to also use a deny list to automatically block users from picking the most common passwords, (which are likely to appear on the list for a password spray attack).

  • There needs to be an established process to change passwords promptly if a user knows or suspects the password or account has been compromised.

  • Enable MFA on all administrator accounts and all accounts (user and administrator) that are accessible from the internet (cloud services)

Multi-factor authentication (MFA) requires the user to have one or more types of credentials in addition to a password, before being able to access an account.
Organisations have a choice of common methods that they can use for multi-factor authentication:

  • A trusted device: MFA techniques that use a trusted device can rely on the knowledge that a user possesses a specific device (e.g a company computer) to prove they are who they say they are.

Organisations can configure cloud services to only accept authentication attempts from within their trusted enterprise networks. This ensures that users can only authenticate if they are either directly connected to that trusted network or have remote access to it over a virtual private network (VPN). In addition, or as an alternative to using a VPN, remote workers would be able to access online services only on trusted devices that are managed by the organisation.

  • An application: An authenticator app generates a single-use password that changes every minute. Alternatively, an app can receive push notifications that prompts the user to confirm or deny that they are currently trying to log in to a named service.

  • A physically separate token: These techniques use the knowledge that a user has a physical security token, which proves they are who they say they are. Some types will require the user to unlock them before use, others just require proof of possession.

Examples of physically separate tokens are FIDOuniversal2nd factor authenticators such as YubiKey, Smartcards that are unlocked by a PIN code, and devices such as RSA tokens and chip-and-PIN card readers which generate a single-use code each time a user logs in.

  • A known trusted account: These techniques send codes to a registered email address or phone number.

The service sends an SMS message containing a single-use code or makes a voice call in which a single-use code is read out to the phone number registered for that user. An SMS message is not the most secure type of MFA, but still offers a huge advantage over not using any MFA. Alternatively the service will email a single-use code to an address registered for that user. A code for the user to type in is preferrable to a clickable link, as it is difficult for a user to distinguish between a legitimate email and a phishing email.

Turn on multi- factor authentication.
However an attacker acquires your password, if you have MFA enabled, this will be your safeguard. As soon as the account asks for the MFA, the attacker will be thwarted and unable to access. It makes sense to turn on MFA for as many accounts as you can where available.
Based on studies conducted by Microsoft, your account is more than 99.9% less likely to be compromised if you use MFA.