The most significant weakness in any security system is often one of the most basic elements of security - user passwords. In the longer term, passwords will eventually disappear when alternative approaches such as biometrics are more widely supported and embedded. However, for now at least, it is usernames and passwords which are still by far the most common means of verifying a user's identity when accessing an online service.
An online service can promote, or even mandate, good security practice, but users also have a responsibility to protect themselves. Schools too have an additional responsibility to help their students understand the risks of using online services, and to encourage them to both use those services appropriately, and to follow best practice, in order to protect themselves as much as possible.
Promoting good security practice isn't helped, however, by lots of different and sometimes conflicting guidance about how to choose a good password, or how systems should behave to encourage good security practice by their users. On a protected network, the risks from weak or non-existent passwords can perhaps be limited through good network security, but with cloud-based services accessed over the internet, strong passwords are essential to minimise the risk of accounts being compromised. An identity and access management platform like RM Unify helps to make access to online services easier, but also secure. RM Unify avoids the need for users to remember lots of individual passwords, which inevitably leads to simple, weak passwords, or the same password being reused across multiple services. Where only one password is required, it is more realistic to expect users to choose and remember a strong password!
In RM Unify we follow a number of principles about how to treat passwords, which we believe will help to encourage good practice by users in schools and colleges:
- We use a password complexity analyser based on real world hacker techniques to understand how crackable a password is, rather than applying arbitrary rules such as enforcing minimum length, or requiring special characters, which can still allow very weak passwords like 'p0ssw0rd' or 'P@ssword'. The analyser we use considers dictionaries of commonly used passwords and previously leaked passwords, and is aware of common substitutions, such as $ for S, and @ for a, as well as keyboard spatial patterns, such as 'qwerty'.
- We set minimum crack-time thresholds, and encourage more complex passwords with a visual complexity meter to help users to understand the difference between weak and strong passwords.
- We also don't enforce password expiry. Password expiry might seem like a good idea, but the evidence shows that changing passwords regularly does not improve security. If password expiry is enforced, users typically take one of two approaches:
Enforcing new passwords increases the likelihood of people forgetting their passwords, writing passwords down, and having to recover passwords more frequently, because they are often changing. The impact of this can be increased opportunity for social engineering and phishing attempts, as more 'reset your password' emails are received.
- they will increment a sequence number on the end of a fixed password, or
- they choose a new, simple password.
One of the best ways to choose a strong but memorable password is to use a passphrase. At least two, or preferably three, random words separated with a space or symbol, for example, 'jade_walk' or 'clap cow orange', will be hard to crack, but easier to remember, than a single character string, but please do not use either of these examples as your password!
We are also looking at allowing individual schools and colleges more control over their password strength policy in future, with the option to increase the complexity level required for different user roles. We would also provide the ability to set different password strength requirements for different student year groups, making it easier to encourage better practice as students move up through the school system. You can see more details of our plans for new features on the RM Unify Roadmap. We also have the option here for you to put forward your own ideas for our future development of RM Unify.
For high-level access roles and key applications, we also strongly recommend that our customers enforce multi-factor authentication (MFA) to apply an additional level of security. These earlier blog posts provide more detail about the RM Unify MFA solution:
For further reference, the UK Government National Cyber Security Centre, NCSC (formally CESG) is one of the best sources of up-to-date advice on good security practices: