The Leading News & Information Service For The Facilities, Workplace & Built Environment Community

Learning To Be Tough On Weak Passwords

East Ayrshire Council has implemented a password policy for 6,000 employees that range from support services to social workers
27 June 2019

East Ayrshire Council has blocked weak passwords after an annual audit revealed their 6,000 employees were leaving the organisation open to cyber threat.

It was 2017 when the council first started to take action to block common and vulnerable passwords. East Ayrshire implemented a Specops Password Policy to enforce stronger passwords and customise a password dictionary list.

A 2017 audit had shown that many users were using common passwords such as Password1, Initial1 and Summer17. They were also selecting easy-to-guess passwords containing the names of local football teams (Kilmarnock, Celtic and Rangers etc).

There was also a short password expiration period of 45 days, so users were even resorting to adding a number at the end of their previous password in order to update it.

“We had a problem with weak passwords and the Active Directory password policy settings didn’t allow us to block common words,” says Ian Aston, ICT Security Manager at the council.

“We were familiar with Specops Software and quickly set up a demo to review the Specops Password Policy software.”


Stop reuse

In addition to blocking high-probability passwords, the council wanted to use password expiration without encouraging password reuse and incremental passwords. Support for passphrases was seen as a desirable feature in the password enforcing software.

The council created a custom list of banned passwords containing the most common passwords and the weak passwords revealed by the audit. Adding this to the software made it possible to stop all of these words from being chosen when setting a password. They also used the feature in Specops Password Policy to stop incremental passwords.

The implementation was carried out over eight weeks, starting with the IT staff before enabling it for all users. To prepare the council employees for the new password policy, Ian Aston and his team sent an email explaining the new policy with screenshots of the error messages a user would get if they chose a password on the customised dictionary list.

“We installed the Authentication Client on all of our endpoints so that our users would get the messages should they fail to choose a strong password,” Aston said. “The feature is very helpful, making the implementation process very smooth. We only received a couple of calls to the helpdesk with questions.”



Now that users are aware of password security, Aston is looking to enforce passphrases. These longer passwords would stand up to brute force attacks better. Aston may also extend the expiration period so that users will not need to reset their passphrases as frequently.

For the passphrase rollout Aston is planning user communication in the form of end user security training, emails and desktop alerts. Training is underway to give the users suggestions for how to come up with a secure passphrase that is easy to remember but hard to crack.

Picture: East Ayrshire Council has implemented a password policy for 6,000 employees that range from support services to social workers.

Article written by Brian Shillibeer | Published 27 June 2019


Related Articles

123456 - 23.2 Million Cyber Victims Used This Password

The most hacked passwords have been revealed as a UK cyber survey exposes gaps in online security with global breach analysis finding 23.2 million victims used 123456 as...

 Read Full Article
Callow Youth Blamed for Security Breaches

Younger employees have been identified as the main culprits for security breaches in the workplace in a study by Centrify of UK senior decision makers and...

 Read Full Article
Is Cybersecurity a Home Working Health and Safety Issue?

Bureau Veritas is urging businesses who are remote working to prioritise cybersecurity as a health and safety risk. As Britain looks set to embrace a long-term shift...

 Read Full Article
24% of Planners Say Smart Cities Will be a Security Challenge 

Urban design professionals believe that the use of smart technology in public spaces could pose a security threat. Smart city technology can bring a great many...

 Read Full Article
Amey IT Security Attack Still Unresolved

A “complex IT security incident” of Amey’s systems in December 2020 remains unresolved, meaning parts of their system are still offline. As stated on...

 Read Full Article
2021 New Year's Resolutions for Employers

As we prepare to wave goodbye to a difficult 2020, what positive changes as employers can we bring to the new year?   Join the Race at Work...

 Read Full Article
Cybersecurity – Are Smart Buildings and its Data Vulnerable to Malware Attacks?

As more and more of a building’s functions are automated and controlled via smart technology systems, has cybersecurity been an afterthought? In Boris...

 Read Full Article
Health Passports – The Future of Leisure and Travel?

As a British tech firm launches its secure five in one digital health passport, might this become the solution for reviving global economies? According to a...

 Read Full Article
Working Securely Online – Cyber Hygiene

With more people working on the internet outside of monitored business networks, the risks of compromising company and personal data are increased. Concentration is...

 Read Full Article
Interserve – The Latest

It was reported that in mid-May that Interserve was involved in a cyber attack, involving the theft of information on current and former Interserve...

 Read Full Article