1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
#+date: <2019-12-16 Mon 00:00:00>
#+title: Password Security
#+description:
#+slug: password-security
* Users
** Why Does It Matter?
Information security, including passwords and identities, has become one of the
most important digital highlights of the last decade. With [[https://www.usatoday.com/story/money/2018/12/28/data-breaches-2018-billions-hit-growing-number-cyberattacks/2413411002/][billions of people
affected by data breaches each year]], there's a greater need to introduce strong
information security systems. If you think you've been part of a breach, or you
want to check and see, you can use [[https://haveibeenpwned.com/][Have I Been Pwned]] to see if your email has
been involved in any public breaches. Remember that there's a possibility that a
company experienced a breach and did not report it to anyone.
** How Do I Protect Myself?
The first place to start with any personal security check-up is to gather a list
of all the different websites, apps, or programs that require you to have login
credentials. Optionally, once you know where your information is being stored,
you can sort the list from the most-important items such as banks or government
logins to less important items such as your favorite meme site. You will want to
ensure that your critical logins are secure before getting to the others.
Once you think you have a good idea of all your different authentication
methods, I recommend using a password manager such as [[https://bitwarden.com/][Bitwarden]]. Using a
password manager allows you to automatically save your logins, create randomized
passwords, and transfer passwords across devices. However, you'll need to
memorize your "vault password" that allows you to open the password manager.
It's important to make this something hard to guess since it would allow anyone
who has it to access every password you've stored in there.
Personally, I recommend using a [[https://en.wikipedia.org/wiki/Passphrase][passphrase]] instead of a [[https://en.wikipedia.org/wiki/Password][password]] for your vault
password. Instead of using a string of characters (whether random or simple),
use a phrase and add in symbols and a number. For example, your vault password
could be =Racing-Alphabet-Gourd-Parrot3=. Swap the symbols out for whichever
symbol you want, move the number around, and fine-tune the passphrase until you
are confident that you can remember it whenever necessary.
Once you've stored your passwords, make sure you continually check up on your
account and make sure you aren't following bad password practices. Krebs on
Security has a great [[https://krebsonsecurity.com/password-dos-and-donts/][blog post on password recommendations]]. Any time that a data
breach happens, make sure you check to see if you were included, and if you need
to reset any account passwords.
* Developers
** What Are the Basic Requirements?
When developing any password-protected application, there are a few basic rules
that anyone should follow even if they do not follow any official guidelines
such as NIST. The foremost practice is to require users to use passwords that
are at least 8 characters and cannot easily be guessed. This sounds extremely
simple, but it requires quite a few different strategies. First, the application
should check the potential passwords against a dictionary of insecure passwords
such =password=, =1234abc=, or =application_name=.
Next, the application should offer guidance on the strength of passwords being
entered during enrollment. Further, NIST officially recommends *not*
implementing any composition rules that make passwords hard to remember (e.g.
passwords with letters, numbers, and special characters) and instead encouraging
the use of long pass phrases which can include spaces. It should be noted that
to be able to keep spaces within passwords, all unicode characters should be
supported, and passwords should not be truncated.
** What Does NIST Recommend?
The National Institute of Standards and Technology ([[https://www.nist.gov][NIST]]) in the US Department
of Commerce regularly publishes information around information security and
digital identity guidelines. Recently, NIST published [[https://pages.nist.gov/800-63-3/sp800-63b.html][Special Publication
800-63b]]: Digital Identity Guidelines and Authentication and Lifecycle
Management.
#+begin_quote
A Memorized Secret authenticator - commonly referred to as a password or, if
numeric, a PIN - is a secret value intended to be chosen and memorized by the
user. Memorized secrets need to be of sufficient complexity and secrecy that it
would be impractical for an attacker to guess or otherwise discover the correct
secret value. A memorized secret is something you know.
- NIST Special Publication 800-63B
#+end_quote
NIST offers a lot of guidance on passwords, but I'm going to highlight just a
few of the important factors:
- Require passwords to be a minimum of 8 characters (6 characters if randomly
generated and be generated using an approved random bit generator).
- Compare potential passwords against a list that contains values known to be
commonly-used, expected, or compromised.
- Offer guidance on password strength, such as a strength meter.
- Implement a rate-limiting mechanism to limit the number of failed
authentication attempts for each user account.
- Do not require composition rules for passwords and do not require passwords to
be changed periodically (unless compromised).
- Allow pasting of user identification and passwords to facilitate the use of
password managers.
- Allow users to view the password as it is being entered.
- Use secure forms of communication and storage, including salting and hashing
passwords using a one-way key derivation function.
NIST offers further guidance on other devices that require specific security
policies, querying for passwords, and more. All the information discussed so far
comes from [[https://pages.nist.gov/800-63-3/sp800-63b.html][NIST SP800-63b]] but NIST offers a lot of information on digital
identities, enrollment, identity proofing, authentication, lifecycle management,
federation, and assertions in the total [[https://pages.nist.gov/800-63-3/][NIST SP800-63 Digital Identity
Guidelines]].
|
