/
Changes to epaPRO Password Policy
  • Complete

    • Changes to epaPRO Password Policy

    Owned by Lisa Clancy
    Last updated: Feb 23, 2023
    3 min read

    In line with advice from the National Cyber Security Council (NCSC), we now have updated the password policy within epaPRO to reduce the required number of characters and recommend you utilise three random words, as this is much easier for users to remember and offers a balance between security and usability.

     

    We have made a change that has been released in version 5.05.0 (07/02/23) to amend our password validation to bring it under the guidelines of NCSC (details can be found here: Password policy: updating your approach - NCSC.GOV.UK)

    Considering the above article, the following changes have been made to the epaPRO password policies:

    • Password minimum length has been increased from 8 to 12 characters.

    • Password maximum length has been increased from 30 to 1000 characters.

    • Requirements for upper case, lower case & special characters have been removed.

    • The Good Practice advice sent out with user creation / password reset emails has been reworded to remove some of the previously enforced rules, along with the addition of support for the “three random words” technique detailed in the NCSC guidance.

     

    Following the release of 5.05.0, we are not intending to force a reset on the password, however we can force a password reset on a customer by customer basis, upon request.

     

    Do note, if users have already amended their password to follow the new policy, we do not store who has made the change and so ALL user passwords would be forcibly reset, including those users who had already changed them.

     

    If we do not forcibly reset this, then following the release of 5.05.0, as and when they update the password, or if they forget it and have to use the forgotten password option they the new policy will apply.

    You can hear the options being discussed on the User Group meeting recording at 1:03:15,  which can be listened to via epaPRO User Group Meeting 08-12-22 or https://skilltechsolutionsltd-my.sharepoint.com/:v:/g/personal/lisa_clancy_skilltechsolutions_co_uk/EQ5vUUgBkh5MlATe-_FoYEEBS_qbcEHLLELWSQdNDujCBQ?e=e9JDs3

     

    1. Please confirm if you would like us to perform a forcible reset for you and include several preferred dates following the 7th Feb, when you would like this actioned by, we ask you to submit a support request ticket to confirm you would like us to forcibly reset the passwords so that we can track who this is needed for.

    Please raise a support ticket to request the company password reset

    https://covalenttech.atlassian.net/servicedesk/customer/portal/1/group/1/create/4

     

    More Information from NCSC

    https://www.ncsc.gov.uk/collection/passwords/updating-your-approach

    Using complexity requirements (that is, where staff can only use passwords that are suitably complex) is a poor defence against guessing attacks. It places an extra burden on users, many of whom will use predictable patterns (such as replacing the letter ‘o’ with a zero) to meet the required 'complexity' criteria. Attackers are familiar with these strategies and use this knowledge to optimise their attacks. Additionally, complexity requirements provide no defence against common attack types such as social engineering or insecure storage of passwords.

    For the above reasons, the NCSC do not recommend the use of complexity requirements when implementing user generated passwords. The use of technical controls to defend against automated guessing attacks is far more effective than relying on users to generate (and remember) complex passwords. However, you should specify a minimum password length, to prevent very short passwords from being used. Avoid using any maximum length requirements that a user might try to exceed, as they will make it harder for users to choose a suitable password that fits the length criteria. Password length should only be capped by the capabilities of your system. Be aware that enforcing excessively long passwords will introduce other burdens (such as time taken to enter passwords, and the increased likelihood of mistyping especially on touch screen devices). Adopting the 'three random words' technique can help users to use suitably complex passphrases that they can actually remember.

    More information about the use of 3 random words can be seen here:

    https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0