The @NCCGroupInfosec team performs security assessments across many different sectors and technologies. Regardless of the system being assessed, one of the most common issues we identify pertains to the use of weak passwords – permitted by an inadequate password policy. Systems that do not enforce a strong password policy can easily be compromised, even more so if the system does not also enforce a strong brute-force mitigation policy (more widely known as an account lockout policy).
This whitepaper discusses the features of good password and brute-force mitigation policies. It provides advice for organisations and users to prevent user accounts being compromised by attackers utilising attacks against poor password choices.