Password Security Best Practices
Passwords are the first line of defense between our most private information and cyber attackers. And while we all understand the importance passwords play in protecting our online data, many of us routinely pick predictable, a.k.a. hackable, passwords.
In an effort to improve password security, the National Institute of Standards and Technology (NIST) recently published their updated digital identity guidelines. With new advice on best practices, the guidelines also explain why our password choices have been lacking.
Somewhat surprisingly, NIST has found that what we were originally taught about creating secure passwords doesn’t actually make it more difficult for hackers to access our accounts. All of the tips and tricks we use to cleverly obfuscate our passwords are more or less a waste of time. Bill Burr, speaking to the Wall St. Journal, said he regrets the recommendations he made back in 2003.
It turns out that the way we use special characters, numbers, and misplaced capital letters tend to follow patterns that hackers can quickly identify. Whether through dictionary attacks, brute force, or rainbow tables, hackers have the tools they need to crack your password. It also turns out the practice of changing your password often can actually make your accounts less secure.
Another factor, which is less surprising, is our brain’s inability to remember more complicated passwords. We default to using simple words and dates that we can easily remember, thinking that the techniques mentioned above will keep us safe. Which, as we now know, they won’t. However, simplicity is key to security…as long as the password is long enough.
NIST recommendations for password strength rely on the theory of entropy (unpredictability). The longer a password, the higher the entropy. While using numbers and symbols can help, password length is the best way to increase your entropy score. As a password gets longer, the combinations of letters, numbers, and symbols grows exponentially, making it more difficult for hackers to figure out the correct combination. Let’s take a look at the NIST password guidelines.
NIST Memorized Secrets — Section 5.1.1:
A Memorized Secret authenticator — commonly referred to as a password or, if numeric, a PIN — is a secret value intended to be chosen and memorized by the user. Memorized secrets need to be of sufficient complexity and secrecy that it would be impractical for an attacker to guess or otherwise discover the correct secret value. A memorized secret is something you know.
Memorized Secret Authenticators — Section 126.96.36.199
- Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber.
- Memorized secrets chosen randomly by the Credential Service Provider (CSP) or verifier SHALL be at least 6 characters in length and MAY be entirely numeric.
- If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist of compromised values, the subscriber SHALL be required to choose a different memorized secret.
- No other complexity requirements for memorized secrets SHOULD be imposed.
NIST Usability Considerations Memorized Secrets — Section 10.2.1:
When users create and change memorized secrets:
- Clearly communicate information on how to create and change memorized secrets.
- Clearly communicate memorized secret requirements.
- Allow at least 64 characters in length to support the use of passphrases. Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.
- Do not impose other composition rules (e.g., mixtures of different character types) on memorized secrets.
- Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.
- Provide clear, meaningful and actionable feedback when chosen passwords are rejected (e.g., when it appears on a “black list” of unacceptable passwords or has been used previously). Advise users that they need to select a different secret because their previous choice was commonly used.
The new NIST guidelines have humanized password security making it both easier for users to remember and harder for hackers to discover. In Appendix A, Strength of Memorized Secrets, NIST outlines its rationale for the password guidelines, including password length and complexity. It also notes that some attacks, such as keystroke logging and phishing, are not impacted by the these factors and can expose a password no matter how secure.
You can discover if you have an account that has been compromised in a data breach. You can also check your current password and see how you measure up. Can you be hacked in a few seconds or a few thousand years?
While each of CIS, PCI, ISO/IEC and HIPAA guidelines (details below) have different criteria for password security, they also rely on many of the old practices, including changing of passwords and specific character combinations, that NIST has uncovered as ineffective. We’ll see if they adjust their criteria in light of these new recommendations.
Communicating password requirements to your team can be a challenge. Making sure that the new requirements are consistently enforced across your entire infrastructure can be next to impossible. It is part of the reason we created Automox.
Automox allows you to set policies not only for passwords, but for all of your OS and 3rd party patching and custom configurations. Once set, Automox takes care of enforcing the assigned software, patches, and configuration settings (like these new password requirements) on every system, regardless of the operating system or geographic location. Automox also provides you with the ability to enable two-factor authentication (2FA) as a second layer of authentication. In the event user login information has been breached, 2FA can prevent account access.
For your reference, we’ve compiled the current password criteria for a few different compliance policies.
CIS Password Benchmarks
- Enforce password history is set to 24 or more passwords
- Maximum password age is set to 60 or fewer days, but not 0
- Minimum password age is set to 1 or more days
- Minimum password length is set to 14 or more characters
- Enable — Password must meet complexity requirements
- Disable — Store password using reversible encryption
- Account lockout duration is set to 15 or more minutes
- Account lockout threshold is set to 10 or fewer invalid login attempts, but not 0
- ‘Reset account lockout counter after’ is set to ’15 or more minutes
PCI Requirement 8: Identify and authenticate access to system components
8.2.1 Use strong cryptography, render all authentication credentials unreadable during transmission and storage on all system components.
8.2.2 Verify user identity before modifying any authentication credential.
8.2.3 Passwords/passphrases must meet the following:
- Require a minimum length of at least seven characters
- Contain both numeric and alphabetic characters
- Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above
8.2.4 Change user passwords/passphrases at least once every 90 days.
8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.
8.2.6 Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use.
8.4 Document and communicate authentication policies and procedures to all users including:
- Guidance on selecting strong authentication credentials
- Guidance for how users should protect their authentication credentials
- Instructions not to reuse previously used passwords
- Instructions to change passwords if there is any suspicion the password could be compromised
8.5 Do not use group, shared, or generic IDs, passwords, or other authentication
methods as follows:
- Generic user IDs are disabled or removed
- Shared user IDs do not exist for system administration and other critical functions
- Shared and generic user IDs are not used to administer any system components
ISO/IEC 27002 2013 Section 9: Information Access Management
9.3.1 Use of secret authentication information
All users should be advised to:
- Keep secret authentication information confidential, ensuring that it is not divulged to any other parties, including people of authority
- Avoid keeping a record (e.g. on paper, software file or hand-held device) of secret authentication information, unless this can be stored securely and the method of storing has been approved (e.g. password vault)
- Change secret authentication information whenever there is any indication of its possible compromise
- When passwords are used as secret authentication information, select quality passwords with sufficient minimum length which are:
- Easy to remember
- Not based on anything somebody else could easily guess or obtain using person related information, e.g. names, telephone numbers and dates of birth etc.
- Not vulnerable to dictionary attacks (i.e. do not consist of words included in dictionaries)
- Free of consecutive identical, all-numeric or all-alphabetic characters
- If temporary, changed at the first log-on
- Not share individual user’s secret authentication information
- Ensure proper protection of passwords when passwords are used as secret authentication information in automated log-on procedures and are stored
- Not use the same secret authentication information for business and non-business purposes
9.4.3 Password management system
A password management system should:
- Enforce the use of individual user IDs and passwords to maintain accountability
- Allow users to select and change their own passwords and include a confirmation procedure to allow for input errors
- Enforce a choice of quality passwords
- Force users to change their passwords at the first log-on
- Enforce regular password changes and as needed
- Maintain a record of previously used passwords and prevent re-use
- Not display passwords on the screen when being entered
- Store password files separately from application system data
- Store and transmit passwords in protected form
HIPAA § 164.308(a)(5)(ii)(D)
Password management. Procedures for creating, changing, and safeguarding passwords. Covered entities must train all users and establish guidelines for creating passwords and changing them during periodic change cycles.
Password management procedure may include,:
- A minimum length of passwords is eight (8) characters
- A combination of numeric, non-alphanumeric, alphabetical characters, and capital and lowercase letters
- Passwords that are not easily guessable or obtained by using personal information such as names, pet’s name, license plate, birthday
- Require and force regular password changes (e.g., every 30/60/90 days)
- Require and force the use of individual passwords to maintain accountability
- Permit employees to select and change their own passwords
- Require unique passwords that meet defined standards (e.g., no password re-uses for a minimum period of time).
- Require passwords not to be displayed in clear text when input
- Require passwords to be given to employees in a secure manner, through a pre-defined process
- Require changing of default vendor passwords immediately following installation of hardware or software
- Prohibit the use of “Admin” or “Administrator” as login for administrator accounts or of “Demo” for demonstration logins
As previously published on Automox.com