The perfect password includes MFA

May 2, 2024 | Cyber Essentials

In this blog on World Password Day, we bring together the essentials of good password practice as outlined in the Cyber Essentials requirements.

We hate passwords

Password fatigue
A password is still, on the whole, the access key to almost every digital device and online account you use and the average person has between 70-130 online accounts that require passwords.

Each password should be be unique, long, and not linked to the details about your life (guessable). What’s more, we have to store them securely, not to tell them to anyone and to change them if we suspect someone knows them.

Although passwordless technology is on the horizon, its adoption will be gradual. So, for now, it is still essential for all organisations to have good password hygiene backed up by policies and controls.

Criminals love passwords

Stealing personal information such as usernames and passwords, bank account details and credit card numbers is incredibly profitable for criminals. They can send fraudulent emails from your account, make fraudulent purchases from your credit card, use your identity to take out loans and open new accounts and go on to launch other attacks against you. Criminals also profit from disrupting or re-routing websites, illegally tracking users and selling stolen credentials to other criminals.

The master plan for many cyber criminals is to discover as many passwords as they can in the shortest amount of time and then use computers to try matching passwords and user names on as many accounts as they can at the same time. According to Breach Alarm, 1 million passwords are stolen every week.

Attack-proof your passwords

Based on the ways that we know attackers get your passwords, the following simple controls will help make the passwords used to access your data and services more resilient to cyber attack.

Have a clear password policy that applies to everyone in your organisation including volunteers and contractors.
This should include:

  • How to create good passwords using three random words or a random generated password created by a password manager. (Your password policy will specify which one and how to use it).

  • Accounts protected by a password alone need to ensure that the password has at least 12 characters (with no maximum length).

  • If an account has the additional protection of multi-factor authentication (MFA), the password needs to be at least 8 characters long with no maximum length.

  • Accounts that do not have MFA enabled, need to also use a deny list to automatically block users from picking the most common passwords, (these are likely to be top of the list of passwords the criminals try to break into your account).

  • There needs to be an established process to change passwords promptly if a user knows or suspects the password or account has been compromised.

  • Enable MFA on all administrator accounts and all accounts (user and administrator) that are accessible from the internet (cloud services).

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) is also known as 2-step verification (2SV) or two-factor authentication (2FA). Accounts that have been set up with MFA require the user to provide a second factor, which is something that only the user can access. The second factor can include:

  • PIN codes or a string of characters, often sent to the user via SMS or email

  • a security token that the user must physically connect to their device (such as via USB)

  • biometric details (such as a fingerprint scan, or facial recognition)

  • an app on a trusted device (such as those provided by Microsoft or Google)

Turn on multi-factor authentication
However an attacker acquires your password, if you have MFA enabled, this will be your safeguard. As soon as the account asks for the MFA, the attacker will be thwarted and unable to access. It makes sense to turn on MFA for as many accounts as you can.
Based on studies conducted by Microsoft, your account is more than 99.9% less likely to be compromised if you use MFA.

Read the NCSC guidance about trusted authentication methods

The annually renewable Cyber Essentials certification scheme represents a minimum baseline of cyber security for organisations of all sizes. The scheme consists of five technical controls that will reduce the impact of common cyber attack approaches by up to 80%.