The Leading News & Information Service For The Facilities, Workplace & Built Environment Community

Friday, 20 September

Learning To Be Tough On Weak Passwords

East Ayrshire Council has implemented a password policy for 6,000 employees that range from support services to social workers

East Ayrshire Council has blocked weak passwords after an annual audit revealed their 6,000 employees were leaving the organisation open to cyber threat.

It was 2017 when the council first started to take action to block common and vulnerable passwords. East Ayrshire implemented a Specops Password Policy to enforce stronger passwords and customise a password dictionary list.

A 2017 audit had shown that many users were using common passwords such as Password1, Initial1 and Summer17. They were also selecting easy-to-guess passwords containing the names of local football teams (Kilmarnock, Celtic and Rangers etc).

There was also a short password expiration period of 45 days, so users were even resorting to adding a number at the end of their previous password in order to update it.

“We had a problem with weak passwords and the Active Directory password policy settings didn’t allow us to block common words,” says Ian Aston, ICT Security Manager at the council.

“We were familiar with Specops Software and quickly set up a demo to review the Specops Password Policy software.”


Stop reuse

In addition to blocking high-probability passwords, the council wanted to use password expiration without encouraging password reuse and incremental passwords. Support for passphrases was seen as a desirable feature in the password enforcing software.

The council created a custom list of banned passwords containing the most common passwords and the weak passwords revealed by the audit. Adding this to the software made it possible to stop all of these words from being chosen when setting a password. They also used the feature in Specops Password Policy to stop incremental passwords.

The implementation was carried out over eight weeks, starting with the IT staff before enabling it for all users. To prepare the council employees for the new password policy, Ian Aston and his team sent an email explaining the new policy with screenshots of the error messages a user would get if they chose a password on the customised dictionary list.

“We installed the Authentication Client on all of our endpoints so that our users would get the messages should they fail to choose a strong password,” Aston said. “The feature is very helpful, making the implementation process very smooth. We only received a couple of calls to the helpdesk with questions.”



Now that users are aware of password security, Aston is looking to enforce passphrases. These longer passwords would stand up to brute force attacks better. Aston may also extend the expiration period so that users will not need to reset their passphrases as frequently.

For the passphrase rollout Aston is planning user communication in the form of end user security training, emails and desktop alerts. Training is underway to give the users suggestions for how to come up with a secure passphrase that is easy to remember but hard to crack.

Picture: East Ayrshire Council has implemented a password policy for 6,000 employees that range from support services to social workers.

Article written by Brian Shillibeer


Related Articles

123456 - 23.2 Million Cyber Victims Used This Password

The most hacked passwords have been revealed as a UK cyber survey exposes gaps in online security with global breach analysis finding 23.2 million victims used 123456 as...

 Read Full Article
Who Is The Weakest Link?

According to Sophos, 70% of internet users have the same password for almost all the web services they use - and there are groups of businesses and individuals who are...

 Read Full Article
Callow Youth Blamed for Security Breaches

Younger employees have been identified as the main culprits for security breaches in the workplace in a study by Centrify of UK senior decision makers and...

 Read Full Article
Councils Can Apply For Digital Funding To Boost Services

Councils looking to improve public services through innovative uses of digital technology can apply for funding, Local Government Minister Luke Hall MP has...

 Read Full Article
147 Dead - 2018/19 Fatal Injury Stats Released

July 3 saw the HSE release their annual provisional workplace fatality figures for 2018/19. 147 workers died between April 2018 and March 2019 (a rate of 0.45 per...

 Read Full Article
Great British Spring Clean & National High Street Perfect Day

Councils across England will receive a share of £9.75 million to back their efforts to spruce up high streets - and every local authority in England is guaranteed...

 Read Full Article
Anatomy Of A Cyber Attack

The cyber attack on the global heavy manufacturing sites of Norsk Hydro saw the aluminium producer lose over £25.5 million in under a week. Here we detail three...

 Read Full Article
Global Ali Producer Shut Down By Cyber Hack

A major global aluminium producer with multiple sites, including furnaces, has been the victim of a major and malicious cybersecurity attack. A lack of ability to connect...

 Read Full Article
The £1.9 Billion Cost Of Retail Crime

The combined cost of spending on crime prevention and losses from crime to the retail industry is a staggering £1.9 billion according to the annual British Retail...

 Read Full Article
Attack On Critical National Infrastructure Imminent

Over half of the respondents to a survey have said they believe an attack on critical national infrastructure is imminent. Most respondents also think the convergence...

 Read Full Article