Skip to main content

Password Policy

This article describes some of the steps we take and the policies we have in place in order to secure the VOLO system with regard to operator credentials and login attempts.

General

The cybersecurity landscape is and will always be changing and evolving.

We strive to maintain a highly secure system, seeking out best practice set by appropriate authorities in the field. In this case, our approach is guided by recommendations published by the National Cyber Security Centre of the UK.

The approach recommended by the NCSC is a balance between ensuring passwords are secure and preventing users from becoming 'overloaded' either due to an unmanageable number of passwords to remember or due to highly complex passwords which they have no hope of remembering.

Throttling & Account Lockout

The VOLO API enforces a throttling mechanism preventing requests being generated above a certain rate. This is one measure we have in place to deter and prevent automated login attempts of 'brute force attacks'.

Additionally, we monitor consecutive incorrect login attempts, and we will lock out a user after 10 failed attempts. Locked users can be recovered by contacting technical support.

Password Deny Lists

Whenever a user selects a new password, the VOLO system validates this against a list of known insecure or easily guessed passwords. The user will not be permitted to use a password found in this list.

Insecure Password

Password Length & Complexity

The advice offered by the NCSC is not to enforce complexity requirements. However, we do require that the password is at least 10 characters in length.

Password Length

Password Transmission & Storage

All interactions with the VOLO system will take place using a secure HTTPS connection. You can verify that you are working over a secure connection by confirming the presence of the padlock symbol in the address bar of your browser.

We do not store passwords in VOLO. Instead, we process the password through a hashing algorithm and store the result, along with a unique random additional parameter known as a 'salt'.

If we combine the correct password with the salt that we have saved and pass them through the hashing algorithm, we will always get the same result, that matches what we have stored in the database.

Any wrong password attempt, when passed through the algorithm, will give us a different result, and so we will reject the login attempt.

This approach means that even if someone were to hack into the VOLO database, they would not be able to extract any passwords. However, we also do all that we can to prevent anyone from gaining access to any of our cloud infrastructure inappropriately.