The Leading News & Information Service For The Facilities, Workplace & Built Environment Community

Tuesday, 14 July

Learning To Be Tough On Weak Passwords

East Ayrshire Council has implemented a password policy for 6,000 employees that range from support services to social workers
27th June 2019

East Ayrshire Council has blocked weak passwords after an annual audit revealed their 6,000 employees were leaving the organisation open to cyber threat.

It was 2017 when the council first started to take action to block common and vulnerable passwords. East Ayrshire implemented a Specops Password Policy to enforce stronger passwords and customise a password dictionary list.

A 2017 audit had shown that many users were using common passwords such as Password1, Initial1 and Summer17. They were also selecting easy-to-guess passwords containing the names of local football teams (Kilmarnock, Celtic and Rangers etc).

There was also a short password expiration period of 45 days, so users were even resorting to adding a number at the end of their previous password in order to update it.

“We had a problem with weak passwords and the Active Directory password policy settings didn’t allow us to block common words,” says Ian Aston, ICT Security Manager at the council.

“We were familiar with Specops Software and quickly set up a demo to review the Specops Password Policy software.”


Stop reuse

In addition to blocking high-probability passwords, the council wanted to use password expiration without encouraging password reuse and incremental passwords. Support for passphrases was seen as a desirable feature in the password enforcing software.

The council created a custom list of banned passwords containing the most common passwords and the weak passwords revealed by the audit. Adding this to the software made it possible to stop all of these words from being chosen when setting a password. They also used the feature in Specops Password Policy to stop incremental passwords.

The implementation was carried out over eight weeks, starting with the IT staff before enabling it for all users. To prepare the council employees for the new password policy, Ian Aston and his team sent an email explaining the new policy with screenshots of the error messages a user would get if they chose a password on the customised dictionary list.

“We installed the Authentication Client on all of our endpoints so that our users would get the messages should they fail to choose a strong password,” Aston said. “The feature is very helpful, making the implementation process very smooth. We only received a couple of calls to the helpdesk with questions.”



Now that users are aware of password security, Aston is looking to enforce passphrases. These longer passwords would stand up to brute force attacks better. Aston may also extend the expiration period so that users will not need to reset their passphrases as frequently.

For the passphrase rollout Aston is planning user communication in the form of end user security training, emails and desktop alerts. Training is underway to give the users suggestions for how to come up with a secure passphrase that is easy to remember but hard to crack.

Picture: East Ayrshire Council has implemented a password policy for 6,000 employees that range from support services to social workers.

Article written by Brian Shillibeer – published 27th June 2019


Related Articles

World Education Not Taking Cyber Threat Cost Seriously

The 2019 Global DNS Threat Report has revealed the education sector is one of the most heavily targeted industries for cyber attacks - and yet invests very little to stop...

 Read Full Article
123456 - 23.2 Million Cyber Victims Used This Password

The most hacked passwords have been revealed as a UK cyber survey exposes gaps in online security with global breach analysis finding 23.2 million victims used 123456 as...

 Read Full Article
Who Is The Weakest Link?

According to Sophos, 70% of internet users have the same password for almost all the web services they use - and there are groups of businesses and individuals who are...

 Read Full Article
Callow Youth Blamed for Security Breaches

Younger employees have been identified as the main culprits for security breaches in the workplace in a study by Centrify of UK senior decision makers and...

 Read Full Article
Interserve – The Latest

It was reported that in mid-May that Interserve was involved in a cyber attack, involving the theft of information on current and former Interserve...

 Read Full Article
More Global FM Firms Hit By Cyber Attacks

EMCOR Group and Bouyges are the latest FM companies targeted by malicious software attacks.  The website of EMCOR Group, the global providers of facility...

 Read Full Article
Nice People Come Last at Christmas

An HSBC report says fraud victims (especially during the festive season) are 10 per cent ‘nicer’ than those who’ve not suffered at the hands of...

 Read Full Article
Councils Can Apply For Digital Funding To Boost Services

Councils looking to improve public services through innovative uses of digital technology can apply for funding, Local Government Minister Luke Hall MP has...

 Read Full Article
147 Dead - 2018/19 Fatal Injury Stats Released

July 3 saw the HSE release their annual provisional workplace fatality figures for 2018/19. 147 workers died between April 2018 and March 2019 (a rate of 0.45 per...

 Read Full Article
Great British Spring Clean & National High Street Perfect Day

Councils across England will receive a share of £9.75 million to back their efforts to spruce up high streets - and every local authority in England is guaranteed...

 Read Full Article