diff options
Diffstat (limited to 'content/blog/2019-12-16-password-security.md')
| -rw-r--r-- | content/blog/2019-12-16-password-security.md | 117 |
1 files changed, 0 insertions, 117 deletions
diff --git a/content/blog/2019-12-16-password-security.md b/content/blog/2019-12-16-password-security.md deleted file mode 100644 index ddf8812..0000000 --- a/content/blog/2019-12-16-password-security.md +++ /dev/null @@ -1,117 +0,0 @@ -+++ -date = 2019-12-16 -title = "Password Security" -description = "" -draft = false -+++ - -# Users - -## Why Does It Matter? - -Information security, including passwords and identities, has become one of the -most important digital highlights of the last decade. With [billions of people -affected by data breaches each -year](https://www.usatoday.com/story/money/2018/12/28/data-breaches-2018-billions-hit-growing-number-cyberattacks/2413411002/), -there's a greater need to introduce strong information security systems. If you -think you've been part of a breach, or you want to check and see, you can use -[Have I Been Pwned](https://haveibeenpwned.com/) to see if your email has been -involved in any public breaches. Remember that there's a possibility that a -company experienced a breach and did not report it to anyone. - -## How Do I Protect Myself? - -The first place to start with any personal security check-up is to gather a list -of all the different websites, apps, or programs that require you to have login -credentials. Optionally, once you know where your information is being stored, -you can sort the list from the most-important items such as banks or government -logins to less important items such as your favorite meme site. You will want to -ensure that your critical logins are secure before getting to the others. - -Once you think you have a good idea of all your different authentication -methods, I recommend using a password manager such as -[Bitwarden](https://bitwarden.com/). Using a password manager allows you to -automatically save your logins, create randomized passwords, and transfer -passwords across devices. However, you'll need to memorize your "vault password" -that allows you to open the password manager. It's important to make this -something hard to guess since it would allow anyone who has it to access every -password you've stored in there. - -Personally, I recommend using a -[passphrase](https://en.wikipedia.org/wiki/Passphrase) instead of a -[password](https://en.wikipedia.org/wiki/Password) for your vault password. -Instead of using a string of characters (whether random or simple), use a phrase -and add in symbols and a number. For example, your vault password could be -`Racing-Alphabet-Gourd-Parrot3`. Swap the symbols out for whichever symbol you -want, move the number around, and fine-tune the passphrase until you are -confident that you can remember it whenever necessary. - -Once you've stored your passwords, make sure you continually check up on your -account and make sure you aren't following bad password practices. Krebs on -Security has a great [blog post on password -recommendations](https://krebsonsecurity.com/password-dos-and-donts/). Any time -that a data breach happens, make sure you check to see if you were included, and -if you need to reset any account passwords. - -# Developers - -## What Are the Basic Requirements? - -When developing any password-protected application, there are a few basic rules -that anyone should follow even if they do not follow any official guidelines -such as NIST. The foremost practice is to require users to use passwords that -are at least 8 characters and cannot easily be guessed. This sounds extremely -simple, but it requires quite a few different strategies. First, the application -should check the potential passwords against a dictionary of insecure passwords -such `password`, `1234abc`, or `application_name`. - -Next, the application should offer guidance on the strength of passwords being -entered during enrollment. Further, NIST officially recommends **not** -implementing any composition rules that make passwords hard to remember (e.g. -passwords with letters, numbers, and special characters) and instead encouraging -the use of long pass phrases which can include spaces. It should be noted that -to be able to keep spaces within passwords, all unicode characters should be -supported, and passwords should not be truncated. - -## What Does NIST Recommend? - -The National Institute of Standards and Technology -([NIST](https://www.nist.gov)) in the US Department of Commerce regularly -publishes information around information security and digital identity -guidelines. Recently, NIST published [Special Publication -800-63b](https://pages.nist.gov/800-63-3/sp800-63b.html): Digital Identity -Guidelines and Authentication and Lifecycle Management. - -> A Memorized Secret authenticator - commonly referred to as a password or, if -> numeric, a PIN - is a secret value intended to be chosen and memorized by the -> user. Memorized secrets need to be of sufficient complexity and secrecy that -> it would be impractical for an attacker to guess or otherwise discover the -> correct secret value. A memorized secret is something you know. -> -> - NIST Special Publication 800-63B - -NIST offers a lot of guidance on passwords, but I'm going to highlight just a -few of the important factors: - -- Require passwords to be a minimum of 8 characters (6 characters if randomly - generated and be generated using an approved random bit generator). -- Compare potential passwords against a list that contains values known to be - commonly-used, expected, or compromised. -- Offer guidance on password strength, such as a strength meter. -- Implement a rate-limiting mechanism to limit the number of failed - authentication attempts for each user account. -- Do not require composition rules for passwords and do not require passwords - to be changed periodically (unless compromised). -- Allow pasting of user identification and passwords to facilitate the use of - password managers. -- Allow users to view the password as it is being entered. -- Use secure forms of communication and storage, including salting and hashing - passwords using a one-way key derivation function. - -NIST offers further guidance on other devices that require specific security -policies, querying for passwords, and more. All the information discussed so far -comes from [NIST SP800-63b](https://pages.nist.gov/800-63-3/sp800-63b.html) but -NIST offers a lot of information on digital identities, enrollment, identity -proofing, authentication, lifecycle management, federation, and assertions in -the total [NIST SP800-63 Digital Identity -Guidelines](https://pages.nist.gov/800-63-3/). |