Cyber Essentials Self Assessment: Password-Based Authentication

This security wiki provides guidelines for implementing password-based authentication practices within your organisation. Follow these recommendations to enhance the security of user accounts and protect against unauthorised access.

A7.10. Protection Against Brute-Force Password Guessing:

Describe the measures your organisation takes to protect user accounts from brute-force password guessing attacks. These measures may include implementing account lockouts after a certain number of unsuccessful login attempts, rate limiting login requests, or utilising CAPTCHA systems to prevent automated attacks.

A7.11. Technical Controls for Password Quality Management:

Specify the technical controls employed by your organisation to manage the quality of passwords used by users. This can include enforcing password complexity requirements (e.g., minimum length, mix of characters), implementing password expiration policies, and utilising password strength indicators to guide users towards creating strong passwords.

A7.12. Encouraging Unique and Strong Passwords:

Explain the strategies and practises your organisation employs to encourage users to create unique and strong passwords. This may involve providing guidelines on password complexity, conducting awareness training to educate users about password security best practices, or promoting the use of password managers to generate and securely store complex passwords.

A7.13. Process for Compromised Passwords or Accounts:

Describe the established process your organisation follows in the event of suspected or confirmed password or account compromise. This process should include prompt password changes for affected accounts and any additional steps taken to secure compromised accounts, such as monitoring for unauthorised activity or conducting incident investigations.

A7.14. Availability of Multi-Factor Authentication (MFA) in Cloud Services:

Answer "yes" or "no" to indicate whether all your cloud services offer multi-factor authentication (MFA) as a built-in feature. If yes, it is expected that MFA is enabled for all users and administrators. Consult the guidance provided by the National Cyber Security Centre (NCSC) for further information on implementing MFA.

A7.15. Cloud Services without MFA Option:

If any of your cloud services do not offer MFA as an option, provide a list of those services that currently lack MFA availability. It is recommended to explore alternative security measures for these services to compensate for the absence of MFA.

A7.16. MFA Applied to Cloud Service Administrators:

Specify whether multi-factor authentication (MFA) has been applied to all administrators of your cloud services. Applying MFA ensures that administrators must provide an additional authentication factor, such as a code from a mobile app or a hardware token, in addition to their password of at least 8 characters.

A7.17. MFA Applied to Cloud Service Users:

Indicate whether multi-factor authentication (MFA) has been applied to all users of your cloud services. This implementation requires users to authenticate using MFA in combination with a password of at least 8 characters, further securing their accounts.

Implementing robust password-based authentication practices, such as protecting against brute-force attacks, enforcing strong password requirements, and promoting the use of MFA, significantly enhances the security of user accounts and reduces the risk of unauthorised access.

Note: Organisations should adapt these guidelines to align with their specific requirements and consult with cybersecurity professionals for tailored advice related to password security and multi-factor authentication.

Find out more about Periculo Cyber Essentials or contact us