Password Security and Recommended Practices
Updated
Insight is a store of potentially very sensitive and personally identifiable information (PII), so password security is paramount. This guide details our approach and recommended practices for password security.
Password security recommendations
Insight uses recommendations from the NCSC (National Cyber Security Centre), to inform its password policy.
- Password Length: Long passwords, such as short sentences, are the most secure. The minimum length for a password on Insight is 10 characters in line with ICO guidance. Users trying to enter a password of less than 10 characters will be prevented from doing so.
- Password Complexity: There are no complexity requirements for Insight for using particular character types, in line with NCSC recommendations. Password recommendations change over time; it used to be commonplace for passwords to require combinations of uppercase and lowercase characters, numbers, and special characters, but this is no longer the case.
- Password Security: It's best not to share passwords with others, use the same password for different websites, or to write passwords down. Using a password manager can help manage lots of long, unique passwords so that you don't have to remember them all.
- Password Changes: If you're using long, secure passwords, they don't need changing frequently, as is sometimes recommended. The National Cyber Security Centre favour length of passwords over expiration, so Insight won't ask you to change your password after any given length of time.
- Two Factor Authentication (2FA): You can add an extra layer of security to your Insight account by enabling Two Factor Authentication, meaning someone else can't access your Insight account with only your username and password.
Screening new passwords
Most websites have a list of commonly used passwords that are expressly disallowed. These words are usually common to the website. Insight has a list of explicitly disallowed passwords, which includes the following:
- insight
- insighttracking
- school
To help keep Insight secure, we also check new passwords against the top 100 breached passwords. If you choose one of these passwords you'll see an error message, for example:
Sorry if this causes you trouble! Please try choosing a longer password. If you continue to have difficulties, get in touch for advice.
Technical Details
Password Hashing
Insight stores passwords using the BCrypt hash function. The BCrypt algorithm was created in 1999 and is extremely secure and has never been cracked. A hash is a special form of encryption where each password is transformed into a random set of alphanumeric characters of equal length, from which it is impossible to decode the original password. Insight never stores or displays passwords in plain text.
Throttling
There is no maximum number of login attempts a user can make to Insight. This is also per NCSC recommendations, which recommends throttling, as an alternative approach. Throttling is where the amount of time required is increased before another login attempt can be made after a failed attempt. In Insight the time between failed attempts will double, eventually stopping at a maximum of 6.4 seconds.
This approach is used to make automated brute force attacks (large amounts of password guesses) very slow and also prevents a malicious actor from intentionally blocking an account.
