1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
#+date: <2019-12-16>
#+title: Password Security
#+description:
#+slug: password-security
* Users
** Why Does It Matter?
Information security, including passwords and identities, has become one
of the most important digital highlights of the last decade. With
[[https://www.usatoday.com/story/money/2018/12/28/data-breaches-2018-billions-hit-growing-number-cyberattacks/2413411002/][billions
of people affected by data breaches each year]], there's a greater need
to introduce strong information security systems. If you think you've
been part of a breach, or you want to check and see, you can use
[[https://haveibeenpwned.com/][Have I Been Pwned]] to see if your email
has been involved in any public breaches. Remember that there's a
possibility that a company experienced a breach and did not report it to
anyone.
** How Do I Protect Myself?
The first place to start with any personal security check-up is to
gather a list of all the different websites, apps, or programs that
require you to have login credentials. Optionally, once you know where
your information is being stored, you can sort the list from the
most-important items such as banks or government logins to less
important items such as your favorite meme site. You will want to ensure
that your critical logins are secure before getting to the others.
Once you think you have a good idea of all your different authentication
methods, I recommend using a password manager such as
[[https://bitwarden.com/][Bitwarden]]. Using a password manager allows
you to automatically save your logins, create randomized passwords, and
transfer passwords across devices. However, you'll need to memorize your
"vault password" that allows you to open the password manager. It's
important to make this something hard to guess since it would allow
anyone who has it to access every password you've stored in there.
Personally, I recommend using a
[[https://en.wikipedia.org/wiki/Passphrase][passphrase]] instead of a
[[https://en.wikipedia.org/wiki/Password][password]] for your vault
password. Instead of using a string of characters (whether random or
simple), use a phrase and add in symbols and a number. For example, your
vault password could be =Racing-Alphabet-Gourd-Parrot3=. Swap the
symbols out for whichever symbol you want, move the number around, and
fine-tune the passphrase until you are confident that you can remember
it whenever necessary.
Once you've stored your passwords, make sure you continually check up on
your account and make sure you aren't following bad password practices.
Krebs on Security has a great
[[https://krebsonsecurity.com/password-dos-and-donts/][blog post on
password recommendations]]. Any time that a data breach happens, make
sure you check to see if you were included, and if you need to reset any
account passwords.
* Developers
** What Are the Basic Requirements?
When developing any password-protected application, there are a few
basic rules that anyone should follow even if they do not follow any
official guidelines such as NIST. The foremost practice is to require
users to use passwords that are at least 8 characters and cannot easily
be guessed. This sounds extremely simple, but it requires quite a few
different strategies. First, the application should check the potential
passwords against a dictionary of insecure passwords such =password=,
=1234abc=, or =application_name=.
Next, the application should offer guidance on the strength of passwords
being entered during enrollment. Further, NIST officially recommends
*not* implementing any composition rules that make passwords hard to
remember (e.g. passwords with letters, numbers, and special characters)
and instead encouraging the use of long pass phrases which can include
spaces. It should be noted that to be able to keep spaces within
passwords, all unicode characters should be supported, and passwords
should not be truncated.
** What Does NIST Recommend?
The National Institute of Standards and Technology
([[https://www.nist.gov][NIST]]) in the US Department of Commerce
regularly publishes information around information security and digital
identity guidelines. Recently, NIST published
[[https://pages.nist.gov/800-63-3/sp800-63b.html][Special Publication
800-63b]]: Digital Identity Guidelines and Authentication and Lifecycle
Management.
#+begin_quote
A Memorized Secret authenticator - commonly referred to as a password
or, if numeric, a PIN - is a secret value intended to be chosen and
memorized by the user. Memorized secrets need to be of sufficient
complexity and secrecy that it would be impractical for an attacker to
guess or otherwise discover the correct secret value. A memorized secret
is something you know.
- NIST Special Publication 800-63B
#+end_quote
NIST offers a lot of guidance on passwords, but I'm going to highlight
just a few of the important factors:
- Require passwords to be a minimum of 8 characters (6 characters if
randomly generated and be generated using an approved random bit
generator).
- Compare potential passwords against a list that contains values known
to be commonly-used, expected, or compromised.
- Offer guidance on password strength, such as a strength meter.
- Implement a rate-limiting mechanism to limit the number of failed
authentication attempts for each user account.
- Do not require composition rules for passwords and do not require
passwords to be changed periodically (unless compromised).
- Allow pasting of user identification and passwords to facilitate the
use of password managers.
- Allow users to view the password as it is being entered.
- Use secure forms of communication and storage, including salting and
hashing passwords using a one-way key derivation function.
NIST offers further guidance on other devices that require specific
security policies, querying for passwords, and more. All the information
discussed so far comes from
[[https://pages.nist.gov/800-63-3/sp800-63b.html][NIST SP800-63b]] but
NIST offers a lot of information on digital identities, enrollment,
identity proofing, authentication, lifecycle management, federation, and
assertions in the total [[https://pages.nist.gov/800-63-3/][NIST
SP800-63 Digital Identity Guidelines]].
|
