From 41bd0ad58e44244fe67cb36e066d4bb68738516f Mon Sep 17 00:00:00 2001 From: Christian Cleberg Date: Fri, 29 Mar 2024 01:30:23 -0500 Subject: massive re-write from org-publish to weblorg --- content/blog/2019-12-16-password-security.org | 121 ++++++++++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 content/blog/2019-12-16-password-security.org (limited to 'content/blog/2019-12-16-password-security.org') diff --git a/content/blog/2019-12-16-password-security.org b/content/blog/2019-12-16-password-security.org new file mode 100644 index 0000000..0ebbb84 --- /dev/null +++ b/content/blog/2019-12-16-password-security.org @@ -0,0 +1,121 @@ +#+title: Password Security +#+date: 2019-12-16 +#+description: Password security basics. +#+filetags: :security: + +* Users +** Why Does It Matter? +Information security, including passwords and identities, has become one +of the most important digital highlights of the last decade. With +[[https://www.usatoday.com/story/money/2018/12/28/data-breaches-2018-billions-hit-growing-number-cyberattacks/2413411002/][billions +of people affected by data breaches each year]], there's a greater need +to introduce strong information security systems. If you think you've +been part of a breach, or you want to check and see, you can use +[[https://haveibeenpwned.com/][Have I Been Pwned]] to see if your email +has been involved in any public breaches. Remember that there's a +possibility that a company experienced a breach and did not report it to +anyone. + +** How Do I Protect Myself? +The first place to start with any personal security check-up is to +gather a list of all the different websites, apps, or programs that +require you to have login credentials. Optionally, once you know where +your information is being stored, you can sort the list from the +most-important items such as banks or government logins to less +important items such as your favorite meme site. You will want to ensure +that your critical logins are secure before getting to the others. + +Once you think you have a good idea of all your different authentication +methods, I recommend using a password manager such as +[[https://bitwarden.com/][Bitwarden]]. Using a password manager allows +you to automatically save your logins, create randomized passwords, and +transfer passwords across devices. However, you'll need to memorize your +"vault password" that allows you to open the password manager. It's +important to make this something hard to guess since it would allow +anyone who has it to access every password you've stored in there. + +Personally, I recommend using a +[[https://en.wikipedia.org/wiki/Passphrase][passphrase]] instead of a +[[https://en.wikipedia.org/wiki/Password][password]] for your vault +password. Instead of using a string of characters (whether random or +simple), use a phrase and add in symbols and a number. For example, your +vault password could be =Racing-Alphabet-Gourd-Parrot3=. Swap the +symbols out for whichever symbol you want, move the number around, and +fine-tune the passphrase until you are confident that you can remember +it whenever necessary. + +Once you've stored your passwords, make sure you continually check up on +your account and make sure you aren't following bad password practices. +Krebs on Security has a great +[[https://krebsonsecurity.com/password-dos-and-donts/][blog post on +password recommendations]]. Any time that a data breach happens, make +sure you check to see if you were included, and if you need to reset any +account passwords. + +* Developers +** What Are the Basic Requirements? +When developing any password-protected application, there are a few +basic rules that anyone should follow even if they do not follow any +official guidelines such as NIST. The foremost practice is to require +users to use passwords that are at least 8 characters and cannot easily +be guessed. This sounds extremely simple, but it requires quite a few +different strategies. First, the application should check the potential +passwords against a dictionary of insecure passwords such =password=, +=1234abc=, or =application_name=. + +Next, the application should offer guidance on the strength of passwords +being entered during enrollment. Further, NIST officially recommends +*not** implementing any composition rules that make passwords hard to +remember (e.g. passwords with letters, numbers, and special characters) +and instead encouraging the use of long pass phrases which can include +spaces. It should be noted that to be able to keep spaces within +passwords, all unicode characters should be supported, and passwords +should not be truncated. + +** What Does NIST Recommend? +The National Institute of Standards and Technology +([[https://www.nist.gov][NIST]]) in the US Department of Commerce +regularly publishes information around information security and digital +identity guidelines. Recently, NIST published +[[https://pages.nist.gov/800-63-3/sp800-63b.html][Special Publication +800-63b]]: Digital Identity Guidelines and Authentication and Lifecycle +Management. + +#+begin_quote +A Memorized Secret authenticator - commonly referred to as a password +or, if numeric, a PIN - is a secret value intended to be chosen and +memorized by the user. Memorized secrets need to be of sufficient +complexity and secrecy that it would be impractical for an attacker to +guess or otherwise discover the correct secret value. A memorized secret +is something you know. + +- NIST Special Publication 800-63B +#+end_quote + +NIST offers a lot of guidance on passwords, but I'm going to highlight +just a few of the important factors: + +- Require passwords to be a minimum of 8 characters (6 characters if + randomly generated and be generated using an approved random bit + generator). +- Compare potential passwords against a list that contains values known + to be commonly-used, expected, or compromised. +- Offer guidance on password strength, such as a strength meter. +- Implement a rate-limiting mechanism to limit the number of failed + authentication attempts for each user account. +- Do not require composition rules for passwords and do not require + passwords to be changed periodically (unless compromised). +- Allow pasting of user identification and passwords to facilitate the + use of password managers. +- Allow users to view the password as it is being entered. +- Use secure forms of communication and storage, including salting and + hashing passwords using a one-way key derivation function. + +NIST offers further guidance on other devices that require specific +security policies, querying for passwords, and more. All the information +discussed so far comes from +[[https://pages.nist.gov/800-63-3/sp800-63b.html][NIST SP800-63b]] but +NIST offers a lot of information on digital identities, enrollment, +identity proofing, authentication, lifecycle management, federation, and +assertions in the total [[https://pages.nist.gov/800-63-3/][NIST +SP800-63 Digital Identity Guidelines]]. -- cgit v1.2.3-70-g09d2