Effective password management reduces the risk of compromise of password-based authentication systems. In light of recent news with the Houston Astros and St. Louis Cardinals, here are four password protection tips that are useful for all organizations:
- Create a password policy that specifies all of the organization’s password management-related requirements.
- Protect passwords from attacks that capture passwords.
- Configure password mechanisms to reduce the likelihood of successful password guessing and cracking.
- Determine requirements for password expiration based on balancing security needs and usability.
Create a password policy that specifies all of the organization’s password management-related requirements.
Password management-related requirements include password storage and transmission, password composition, and password issuance and reset procedures. In addition, organizations should also take into account applicable mandates (e.g., Federal Information Security Management Act of 2002 (FISMA)), regulations and other requirements and guidelines related to passwords. An organization’s password policy should be flexible enough to accommodate the differing password capabilities provided by various OSs and applications. Organizations should review their password policies periodically, particularly as major technology changes occur (e.g., new OS) that may affect password management.
Protect passwords from attacks that capture passwords.
Attackers may capture passwords in several ways, each necessitating different security controls. For example, attackers might attempt to access OS and application passwords stored on hosts, so such passwords should be stored using additional security controls, such as restricting access to files that contain passwords and storing one-way cryptographic hashes of passwords instead of the passwords themselves. Passwords transmitted over networks should be protected from sniffing threats by encrypting the passwords or the communications containing them, or by other suitable means. Users should be made aware of threats against their knowledge and behavior, such as phishing attacks, keystroke loggers and shoulder surfing, and how they should respond when they suspect an attack may be occurring. Organizations also need to ensure that they verify the identity of users who are attempting to recover a forgotten password or reset a password, so that a password is not inadvertently provided to an attacker.
Configure password mechanisms to reduce the likelihood of successful password guessing and cracking.
Password guessing attacks can be mitigated easily by ensuring that passwords are sufficiently complex and by limiting the frequency of authentication attempts, such as having a brief delay after each failed authentication attempt or locking out an account after many consecutive failed attempts. Password cracking attacks can be mitigated by using strong passwords, choosing strong cryptographic algorithms and implementations for password hashing and protecting the confidentiality of password hashes. Changing passwords periodically also slightly reduces the risk posed by cracking. Password strength is based on several factors, including password complexity, password length and user knowledge of strong password characteristics. Organizations should consider which factors are enforceable when establishing policy requirements for password strength, and also whether or not users will need to memorize the passwords.
Determine requirements for password expiration based on balancing security needs and usability.
Many organizations implement password expiration mechanisms to reduce the potential impact of unauthorized password use. This is beneficial in some cases but ineffective in others, such as when the attacker can compromise the new password through the same keylogger that was used to capture the old password. Password expiration is also a source of frustration to users, who are often required to create and remember new passwords every few months for dozens of accounts, and thus tend to choose weak passwords and use the same few passwords for many accounts. Organizations should consider several factors when determining password expiration requirements, including the availability of secure storage for user passwords, the level of threats against the passwords, the frequency of authentication (daily versus annually), the strength of password storage and the effectiveness or ineffectiveness of password expiration against cracking. Organizations should consider having different policies for password expiration for different types of systems, operating systems and applications to reflect their varying security needs and usability requirements.
In sum, passwords are used in many ways to protect data, systems and networks and have always been simple yet effective risk management tools. However, one constant remains: Passwords are only as good as your daily practices to safeguard them. Make password protection a priority.
Source: National Institute of Standards and Technology