The perfect password includes MFA

May 2, 2024 | Cyber Essentials

In this blog on World Password Day, we bring together the essentials of good password practice as outlined in the Cyber Essentials requirements.

We hate passwords

Password fatigue

A password is still, on the whole, the access key to almost every digital device and online account you use and the average person has between 70-130 online accounts that require passwords.

Each password should be be unique, long, and not linked to the details about your life (guessable). What’s more, we have to store them securely, not to tell them to anyone and to change them if we suspect someone knows them.

Although passwordless technology is on the horizon, its adoption will be gradual. So, for now, it is still essential for all organisations to have good password hygiene backed up by policies and controls.

Criminals love passwords

Stealing personal information such as usernames and passwords, bank account details and credit card numbers is incredibly profitable for criminals. They can send fraudulent emails from your account, make fraudulent purchases from your credit card, use your identity to take out loans and open new accounts and go on to launch other attacks against you. Criminals also profit from disrupting or re-routing websites, illegally tracking users and selling stolen credentials to other criminals.

The master plan for many cyber criminals is to discover as many passwords as they can in the shortest amount of time and then use computers to try matching passwords and user names on as many accounts as they can at the same time. According to Breach Alarm, 1 million passwords are stolen every week.

Attack-proof your passwords

Based on the ways that we know attackers get your passwords, the following simple controls will help make the passwords used to access your data and services more resilient to cyber attack.

Have a clear password policy that applies to everyone in your organisation including volunteers and contractors.
This should include:

How to create good passwords using three random words or a random generated password created by a password manager. (Your password policy will specify which one and how to use it).
Accounts protected by a password alone need to ensure that the password has at least 12 characters (with no maximum length).
If an account has the additional protection of multi-factor authentication (MFA), the password needs to be at least 8 characters long with no maximum length.
Accounts that do not have MFA enabled, need to also use a deny list to automatically block users from picking the most common passwords, (these are likely to be top of the list of passwords the criminals try to break into your account).
There needs to be an established process to change passwords promptly if a user knows or suspects the password or account has been compromised.
Enable MFA on all administrator accounts and all accounts (user and administrator) that are accessible from the internet (cloud services).

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) is also known as 2-step verification (2SV) or two-factor authentication (2FA). Accounts that have been set up with MFA require the user to provide a second factor, which is something that only the user can access. The second factor can include:

PIN codes or a string of characters, often sent to the user via SMS or email
a security token that the user must physically connect to their device (such as via USB)
biometric details (such as a fingerprint scan, or facial recognition)
an app on a trusted device (such as those provided by Microsoft or Google)

Turn on multi-factor authentication
However an attacker acquires your password, if you have MFA enabled, this will be your safeguard. As soon as the account asks for the MFA, the attacker will be thwarted and unable to access. It makes sense to turn on MFA for as many accounts as you can.
Based on studies conducted by Microsoft, your account is more than 99.9% less likely to be compromised if you use MFA.

Read the NCSC guidance about trusted authentication methods

The annually renewable Cyber Essentials certification scheme represents a minimum baseline of cyber security for organisations of all sizes. The scheme consists of five technical controls that will reduce the impact of common cyber attack approaches by up to 80%.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Analytics" category.
cookielawinfo-checkbox-functional	1 year	The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Necessary" category.
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
enforce_policy	1 year	PayPal sets this cookie for secure transactions.
iasme_country	1 month	Used to store geographical location.
sc_f	1 year 1 month 4 days	PayPal sets this cookie when a website is in association with PayPal's payment function.
ts	1 year 1 month 4 days	PayPal sets this cookie to enable secure transactions through PayPal.
ts_c	1 year 1 month 4 days	PayPal sets this cookie to make safe payments through PayPal.
viewed_cookie_policy	1 year	The GDPR Cookie Consent plugin sets the cookie to store whether or not the user has consented to use cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
LANG	9 hours	Linkedin set this cookie to set user's preferred language.
nsid	session	PayPal sets this cookie to enable the PayPal payment service on the website.
tsrce	3 days	PayPal sets this cookie to enable the PayPal payment service on the website.
x-pp-s	session	PayPal sets this cookie to process payments on the site.

The perfect password includes MFA

Search Articles

Latest Posts

Ten Years of Cyber Essentials

Test your incident response plan and build resilience with ‘Exercise in a Box’

The Cyber Security Journey – Ongoing operations and continuous improvement

The Cyber Security Journey – Becoming a larger organisation and a supply chain partner

The Cyber Security Journey – Growth Phase

Select your location