The Leading News & Information Service For The Facilities, Workplace & Built Environment Community

Learning To Be Tough On Weak Passwords

East Ayrshire Council has implemented a password policy for 6,000 employees that range from support services to social workers
27 June 2019

East Ayrshire Council has blocked weak passwords after an annual audit revealed their 6,000 employees were leaving the organisation open to cyber threat.

It was 2017 when the council first started to take action to block common and vulnerable passwords. East Ayrshire implemented a Specops Password Policy to enforce stronger passwords and customise a password dictionary list.

A 2017 audit had shown that many users were using common passwords such as Password1, Initial1 and Summer17. They were also selecting easy-to-guess passwords containing the names of local football teams (Kilmarnock, Celtic and Rangers etc).

There was also a short password expiration period of 45 days, so users were even resorting to adding a number at the end of their previous password in order to update it.

“We had a problem with weak passwords and the Active Directory password policy settings didn’t allow us to block common words,” says Ian Aston, ICT Security Manager at the council.

“We were familiar with Specops Software and quickly set up a demo to review the Specops Password Policy software.”


Stop reuse

In addition to blocking high-probability passwords, the council wanted to use password expiration without encouraging password reuse and incremental passwords. Support for passphrases was seen as a desirable feature in the password enforcing software.

The council created a custom list of banned passwords containing the most common passwords and the weak passwords revealed by the audit. Adding this to the software made it possible to stop all of these words from being chosen when setting a password. They also used the feature in Specops Password Policy to stop incremental passwords.

The implementation was carried out over eight weeks, starting with the IT staff before enabling it for all users. To prepare the council employees for the new password policy, Ian Aston and his team sent an email explaining the new policy with screenshots of the error messages a user would get if they chose a password on the customised dictionary list.

“We installed the Authentication Client on all of our endpoints so that our users would get the messages should they fail to choose a strong password,” Aston said. “The feature is very helpful, making the implementation process very smooth. We only received a couple of calls to the helpdesk with questions.”



Now that users are aware of password security, Aston is looking to enforce passphrases. These longer passwords would stand up to brute force attacks better. Aston may also extend the expiration period so that users will not need to reset their passphrases as frequently.

For the passphrase rollout Aston is planning user communication in the form of end user security training, emails and desktop alerts. Training is underway to give the users suggestions for how to come up with a secure passphrase that is easy to remember but hard to crack.

Picture: East Ayrshire Council has implemented a password policy for 6,000 employees that range from support services to social workers.

Article written by Brian Shillibeer | Published 27 June 2019


Related Articles

123456 - 23.2 Million Cyber Victims Used This Password

The most hacked passwords have been revealed as a UK cyber survey exposes gaps in online security with global breach analysis finding 23.2 million victims used 123456 as...

 Read Full Article
Callow Youth Blamed for Security Breaches

Younger employees have been identified as the main culprits for security breaches in the workplace in a study by Centrify of UK senior decision makers and...

 Read Full Article
Reported Ransomware Incidents in UK Doubled in 2023

A Freedom of Information request has revealed that there was a resurgence in ransomware-related incidents following a quieter 2022.   In the first six months...

 Read Full Article
Spotlight Interview – Francis West | Security Everywhere

Francis West is CEO of Security Everywhere, a company which helps SMEs to secure their money, data and reputation with managed security services. Francis is a trusted...

 Read Full Article
Interserve Fined £4.4m for Failure to Keep Staff Details Secure

The UK’s IT security watchdog has fined Interserve for breaching data protection law and failing to prevent a cyber attack. The Information Commissioner’s...

 Read Full Article
How to Identify and Address IoT Security Weaknesses

Data-driven facilities management is now the expected norm, but security concerns about IoT systems still remain amongst FMs and tenants. The Internet of Things (IoT)...

 Read Full Article
NHS IT Services Supplier Victim of Ransomware Attack

It has been confirmed that a ransomware attack is causing a major outage for NHS IT systems. Services affected include software used by NHS 111 and other patient notes...

 Read Full Article
Smart Buildings at Increased Risk of Cyber Attacks, Says Verdantix

The operational technology that powers connected devices across building systems is providing more entry points for cyber criminals to exploit, says research and advisory...

 Read Full Article
BESA Tightens Security After Fraud Incident

The Building Engineering Services Association (BESA) says it has carried out a thorough review of the security procedures behind its online training schemes...

 Read Full Article
Critical Log4j Vulnerabilities Affect Real Estate Software

Critical vulnerabilities in open-source software pose potential risks for a wide range of businesses, governments and individuals. Log4shell, the vulnerability...

 Read Full Article