1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
+++
date = 2019-12-16
title = "Password Security"
description = ""
draft = false
+++
# Users
## Why Does It Matter?
Information security, including passwords and identities, has become one of the
most important digital highlights of the last decade. With [billions of people
affected by data breaches each
year](https://www.usatoday.com/story/money/2018/12/28/data-breaches-2018-billions-hit-growing-number-cyberattacks/2413411002/),
there's a greater need to introduce strong information security systems. If you
think you've been part of a breach, or you want to check and see, you can use
[Have I Been Pwned](https://haveibeenpwned.com/) to see if your email has been
involved in any public breaches. Remember that there's a possibility that a
company experienced a breach and did not report it to anyone.
## How Do I Protect Myself?
The first place to start with any personal security check-up is to gather a list
of all the different websites, apps, or programs that require you to have login
credentials. Optionally, once you know where your information is being stored,
you can sort the list from the most-important items such as banks or government
logins to less important items such as your favorite meme site. You will want to
ensure that your critical logins are secure before getting to the others.
Once you think you have a good idea of all your different authentication
methods, I recommend using a password manager such as
[Bitwarden](https://bitwarden.com/). Using a password manager allows you to
automatically save your logins, create randomized passwords, and transfer
passwords across devices. However, you'll need to memorize your "vault password"
that allows you to open the password manager. It's important to make this
something hard to guess since it would allow anyone who has it to access every
password you've stored in there.
Personally, I recommend using a
[passphrase](https://en.wikipedia.org/wiki/Passphrase) instead of a
[password](https://en.wikipedia.org/wiki/Password) for your vault password.
Instead of using a string of characters (whether random or simple), use a phrase
and add in symbols and a number. For example, your vault password could be
`Racing-Alphabet-Gourd-Parrot3`. Swap the symbols out for whichever symbol you
want, move the number around, and fine-tune the passphrase until you are
confident that you can remember it whenever necessary.
Once you've stored your passwords, make sure you continually check up on your
account and make sure you aren't following bad password practices. Krebs on
Security has a great [blog post on password
recommendations](https://krebsonsecurity.com/password-dos-and-donts/). Any time
that a data breach happens, make sure you check to see if you were included, and
if you need to reset any account passwords.
# Developers
## What Are the Basic Requirements?
When developing any password-protected application, there are a few basic rules
that anyone should follow even if they do not follow any official guidelines
such as NIST. The foremost practice is to require users to use passwords that
are at least 8 characters and cannot easily be guessed. This sounds extremely
simple, but it requires quite a few different strategies. First, the application
should check the potential passwords against a dictionary of insecure passwords
such `password`, `1234abc`, or `application_name`.
Next, the application should offer guidance on the strength of passwords being
entered during enrollment. Further, NIST officially recommends **not**
implementing any composition rules that make passwords hard to remember (e.g.
passwords with letters, numbers, and special characters) and instead encouraging
the use of long pass phrases which can include spaces. It should be noted that
to be able to keep spaces within passwords, all unicode characters should be
supported, and passwords should not be truncated.
## What Does NIST Recommend?
The National Institute of Standards and Technology
([NIST](https://www.nist.gov)) in the US Department of Commerce regularly
publishes information around information security and digital identity
guidelines. Recently, NIST published [Special Publication
800-63b](https://pages.nist.gov/800-63-3/sp800-63b.html): Digital Identity
Guidelines and Authentication and Lifecycle Management.
> A Memorized Secret authenticator - commonly referred to as a password or, if
> numeric, a PIN - is a secret value intended to be chosen and memorized by the
> user. Memorized secrets need to be of sufficient complexity and secrecy that
> it would be impractical for an attacker to guess or otherwise discover the
> correct secret value. A memorized secret is something you know.
>
> - NIST Special Publication 800-63B
NIST offers a lot of guidance on passwords, but I'm going to highlight just a
few of the important factors:
- Require passwords to be a minimum of 8 characters (6 characters if randomly
generated and be generated using an approved random bit generator).
- Compare potential passwords against a list that contains values known to be
commonly-used, expected, or compromised.
- Offer guidance on password strength, such as a strength meter.
- Implement a rate-limiting mechanism to limit the number of failed
authentication attempts for each user account.
- Do not require composition rules for passwords and do not require passwords
to be changed periodically (unless compromised).
- Allow pasting of user identification and passwords to facilitate the use of
password managers.
- Allow users to view the password as it is being entered.
- Use secure forms of communication and storage, including salting and hashing
passwords using a one-way key derivation function.
NIST offers further guidance on other devices that require specific security
policies, querying for passwords, and more. All the information discussed so far
comes from [NIST SP800-63b](https://pages.nist.gov/800-63-3/sp800-63b.html) but
NIST offers a lot of information on digital identities, enrollment, identity
proofing, authentication, lifecycle management, federation, and assertions in
the total [NIST SP800-63 Digital Identity
Guidelines](https://pages.nist.gov/800-63-3/).
|
