From 3def68d80edf87e28473609c31970507d9f03467 Mon Sep 17 00:00:00 2001 From: Christian Cleberg Date: Mon, 22 Apr 2024 14:07:21 -0500 Subject: format a portion of blog posts --- content/blog/2019-12-16-password-security.org | 158 ++++++++++++-------------- 1 file changed, 70 insertions(+), 88 deletions(-) (limited to 'content/blog/2019-12-16-password-security.org') diff --git a/content/blog/2019-12-16-password-security.org b/content/blog/2019-12-16-password-security.org index 0ebbb84..465afdc 100644 --- a/content/blog/2019-12-16-password-security.org +++ b/content/blog/2019-12-16-password-security.org @@ -5,117 +5,99 @@ * Users ** Why Does It Matter? -Information security, including passwords and identities, has become one -of the most important digital highlights of the last decade. With -[[https://www.usatoday.com/story/money/2018/12/28/data-breaches-2018-billions-hit-growing-number-cyberattacks/2413411002/][billions -of people affected by data breaches each year]], there's a greater need -to introduce strong information security systems. If you think you've -been part of a breach, or you want to check and see, you can use -[[https://haveibeenpwned.com/][Have I Been Pwned]] to see if your email -has been involved in any public breaches. Remember that there's a -possibility that a company experienced a breach and did not report it to -anyone. +Information security, including passwords and identities, has become one of the +most important digital highlights of the last decade. With [[https://www.usatoday.com/story/money/2018/12/28/data-breaches-2018-billions-hit-growing-number-cyberattacks/2413411002/][billions of people +affected by data breaches each year]], there's a greater need to introduce strong +information security systems. If you think you've been part of a breach, or you +want to check and see, you can use [[https://haveibeenpwned.com/][Have I Been Pwned]] to see if your email has +been involved in any public breaches. Remember that there's a possibility that a +company experienced a breach and did not report it to anyone. ** How Do I Protect Myself? -The first place to start with any personal security check-up is to -gather a list of all the different websites, apps, or programs that -require you to have login credentials. Optionally, once you know where -your information is being stored, you can sort the list from the -most-important items such as banks or government logins to less -important items such as your favorite meme site. You will want to ensure -that your critical logins are secure before getting to the others. +The first place to start with any personal security check-up is to gather a list +of all the different websites, apps, or programs that require you to have login +credentials. Optionally, once you know where your information is being stored, +you can sort the list from the most-important items such as banks or government +logins to less important items such as your favorite meme site. You will want to +ensure that your critical logins are secure before getting to the others. Once you think you have a good idea of all your different authentication -methods, I recommend using a password manager such as -[[https://bitwarden.com/][Bitwarden]]. Using a password manager allows -you to automatically save your logins, create randomized passwords, and -transfer passwords across devices. However, you'll need to memorize your -"vault password" that allows you to open the password manager. It's -important to make this something hard to guess since it would allow -anyone who has it to access every password you've stored in there. +methods, I recommend using a password manager such as [[https://bitwarden.com/][Bitwarden]]. Using a +password manager allows you to automatically save your logins, create randomized +passwords, and transfer passwords across devices. However, you'll need to +memorize your "vault password" that allows you to open the password manager. +It's important to make this something hard to guess since it would allow anyone +who has it to access every password you've stored in there. -Personally, I recommend using a -[[https://en.wikipedia.org/wiki/Passphrase][passphrase]] instead of a -[[https://en.wikipedia.org/wiki/Password][password]] for your vault -password. Instead of using a string of characters (whether random or -simple), use a phrase and add in symbols and a number. For example, your -vault password could be =Racing-Alphabet-Gourd-Parrot3=. Swap the -symbols out for whichever symbol you want, move the number around, and -fine-tune the passphrase until you are confident that you can remember -it whenever necessary. +Personally, I recommend using a [[https://en.wikipedia.org/wiki/Passphrase][passphrase]] instead of a [[https://en.wikipedia.org/wiki/Password][password]] for your vault +password. Instead of using a string of characters (whether random or simple), +use a phrase and add in symbols and a number. For example, your vault password +could be =Racing-Alphabet-Gourd-Parrot3=. Swap the symbols out for whichever +symbol you want, move the number around, and fine-tune the passphrase until you +are confident that you can remember it whenever necessary. -Once you've stored your passwords, make sure you continually check up on -your account and make sure you aren't following bad password practices. -Krebs on Security has a great -[[https://krebsonsecurity.com/password-dos-and-donts/][blog post on -password recommendations]]. Any time that a data breach happens, make -sure you check to see if you were included, and if you need to reset any -account passwords. +Once you've stored your passwords, make sure you continually check up on your +account and make sure you aren't following bad password practices. Krebs on +Security has a great [[https://krebsonsecurity.com/password-dos-and-donts/][blog post on password recommendations]]. Any time that a data +breach happens, make sure you check to see if you were included, and if you need +to reset any account passwords. * Developers ** What Are the Basic Requirements? -When developing any password-protected application, there are a few -basic rules that anyone should follow even if they do not follow any -official guidelines such as NIST. The foremost practice is to require -users to use passwords that are at least 8 characters and cannot easily -be guessed. This sounds extremely simple, but it requires quite a few -different strategies. First, the application should check the potential -passwords against a dictionary of insecure passwords such =password=, -=1234abc=, or =application_name=. +When developing any password-protected application, there are a few basic rules +that anyone should follow even if they do not follow any official guidelines +such as NIST. The foremost practice is to require users to use passwords that +are at least 8 characters and cannot easily be guessed. This sounds extremely +simple, but it requires quite a few different strategies. First, the application +should check the potential passwords against a dictionary of insecure passwords +such =password=, =1234abc=, or =application_name=. -Next, the application should offer guidance on the strength of passwords -being entered during enrollment. Further, NIST officially recommends -*not** implementing any composition rules that make passwords hard to -remember (e.g. passwords with letters, numbers, and special characters) -and instead encouraging the use of long pass phrases which can include -spaces. It should be noted that to be able to keep spaces within -passwords, all unicode characters should be supported, and passwords -should not be truncated. +Next, the application should offer guidance on the strength of passwords being +entered during enrollment. Further, NIST officially recommends *not** +implementing any composition rules that make passwords hard to remember (e.g. +passwords with letters, numbers, and special characters) and instead encouraging +the use of long pass phrases which can include spaces. It should be noted that +to be able to keep spaces within passwords, all unicode characters should be +supported, and passwords should not be truncated. ** What Does NIST Recommend? -The National Institute of Standards and Technology -([[https://www.nist.gov][NIST]]) in the US Department of Commerce -regularly publishes information around information security and digital -identity guidelines. Recently, NIST published -[[https://pages.nist.gov/800-63-3/sp800-63b.html][Special Publication +The National Institute of Standards and Technology ([[https://www.nist.gov][NIST]]) in the US Department +of Commerce regularly publishes information around information security and +digital identity guidelines. Recently, NIST published [[https://pages.nist.gov/800-63-3/sp800-63b.html][Special Publication 800-63b]]: Digital Identity Guidelines and Authentication and Lifecycle Management. #+begin_quote -A Memorized Secret authenticator - commonly referred to as a password -or, if numeric, a PIN - is a secret value intended to be chosen and -memorized by the user. Memorized secrets need to be of sufficient -complexity and secrecy that it would be impractical for an attacker to -guess or otherwise discover the correct secret value. A memorized secret -is something you know. +A Memorized Secret authenticator - commonly referred to as a password or, if +numeric, a PIN - is a secret value intended to be chosen and memorized by the +user. Memorized secrets need to be of sufficient complexity and secrecy that it +would be impractical for an attacker to guess or otherwise discover the correct +secret value. A memorized secret is something you know. - NIST Special Publication 800-63B #+end_quote -NIST offers a lot of guidance on passwords, but I'm going to highlight -just a few of the important factors: +NIST offers a lot of guidance on passwords, but I'm going to highlight just a +few of the important factors: -- Require passwords to be a minimum of 8 characters (6 characters if - randomly generated and be generated using an approved random bit - generator). -- Compare potential passwords against a list that contains values known - to be commonly-used, expected, or compromised. +- Require passwords to be a minimum of 8 characters (6 characters if randomly + generated and be generated using an approved random bit generator). +- Compare potential passwords against a list that contains values known to be + commonly-used, expected, or compromised. - Offer guidance on password strength, such as a strength meter. - Implement a rate-limiting mechanism to limit the number of failed authentication attempts for each user account. -- Do not require composition rules for passwords and do not require - passwords to be changed periodically (unless compromised). -- Allow pasting of user identification and passwords to facilitate the - use of password managers. +- Do not require composition rules for passwords and do not require passwords to + be changed periodically (unless compromised). +- Allow pasting of user identification and passwords to facilitate the use of + password managers. - Allow users to view the password as it is being entered. -- Use secure forms of communication and storage, including salting and - hashing passwords using a one-way key derivation function. +- Use secure forms of communication and storage, including salting and hashing + passwords using a one-way key derivation function. -NIST offers further guidance on other devices that require specific -security policies, querying for passwords, and more. All the information -discussed so far comes from -[[https://pages.nist.gov/800-63-3/sp800-63b.html][NIST SP800-63b]] but -NIST offers a lot of information on digital identities, enrollment, -identity proofing, authentication, lifecycle management, federation, and -assertions in the total [[https://pages.nist.gov/800-63-3/][NIST -SP800-63 Digital Identity Guidelines]]. +NIST offers further guidance on other devices that require specific security +policies, querying for passwords, and more. All the information discussed so far +comes from [[https://pages.nist.gov/800-63-3/sp800-63b.html][NIST SP800-63b]] but NIST offers a lot of information on digital +identities, enrollment, identity proofing, authentication, lifecycle management, +federation, and assertions in the total [[https://pages.nist.gov/800-63-3/][NIST SP800-63 Digital Identity +Guidelines]]. -- cgit v1.2.3-70-g09d2