Password policy

Password policy is a set of rules aimed at improving computer security by encouraging users to use strong passwords and their proper use. Password policies are often part of the organization’s official rules and can be taught as part of information security . Either the password policy is advisory in nature, or computer systems force users to comply with it. Some governments have national authentication structures ^[1] that define requirements for user authentication in government services, including password requirements.

Content

Aspects

Typical password policy components:

Password length and generation

See also : Password complexity

Many policies require a minimum password length. Eight characters is typical but may not be suitable. ^[2] ^[3] ^[4] Longer passwords are usually more secure, but some systems set a maximum length for compatibility with legacy systems.

Some policies suggest or impose requirements on the type of password that the user can choose, for example:

the use of uppercase and lowercase letters ( case sensitivity )
inclusion of one or several digits
inclusion of special characters such as @, #, $
ban words found in the password blacklist
prohibition of words contained in the user's personal information
prohibition of the use of company name or abbreviation
ban passwords matching the date format, car numbers , phone numbers, or other common values

Other systems create a password for users or allow the user to select one of a limited number of displayed options.

Password blacklists

Password blacklists are lists of passwords that are always blocked. Blacklists contain passwords made up of combinations of characters that would otherwise comply with company policies, but should no longer be used because they are considered unsafe for one or more reasons. Typical examples are Password1, Qwerty123, or Qaz123wsx.

Password Expiration

Some policies require the user to change the password periodically, often every 90 or 180 days. However, the benefit of password expiration is controversial. ^[5] ^[6] Systems implementing such policies sometimes do not allow users to choose a password too close to the previous choice. ^[7]

This policy can often be unpleasant. Some users find it hard to come up with “ good ” passwords, which are also easy to remember. Ultimately, due to frequent password changes, users use much weaker combinations of valid characters; The policy also encourages users to record passwords. In addition, the policy prohibits the user from repeating the last password, which implies the need for a database of all the latest passwords (or their hashes ). Finally, users can change their password several times in a few minutes, and then return to the one they really want to use, bypassing the password change policy completely.

It is also worth considering the human factor. Unlike computers, users cannot delete one memory and replace it with another. Therefore, often changing a stored password is a burden on human memory, and most users resort to choosing a password that is relatively easy to guess. Users are often encouraged to use mnemonic rules to remember complex passwords. However, if the password needs to be changed again, the mnemonics are useless because the user will not remember which mnemonics to use. In addition, the use of mnemonics (leading to passwords such as "2BOrNot2B") makes password guessing easier.

Administration factors may also be an issue. Users sometimes have older devices that require a password that was used before the password expired. In order to manage these old devices, users may have to resort to recording all old passwords in case they need to log into the old device.

It is often better to require a very strong password and not require a password change. ^[8] However, this approach has a significant drawback: if an unauthorized person receives a password and uses it without being discovered.

These factors need to be weighed: the likelihood that someone will guess the password because it is weak compared to the likelihood that someone will be able to steal or otherwise obtain, without guessing, a stronger password.

Bruce Schneier claims that “almost everything that can be remembered can be hacked,” and recommends a scheme that uses passwords that will not be displayed in any dictionaries. ^[9]

Sanctions

Password policies can include progressive sanctions, starting with warnings and ending with a possible loss of computer privileges or shutdown. Where confidentiality is prescribed by law, for example, with state secrets , violating a password policy can be a criminal offense.

Selection Process

The required level of password strength depends, among other things, on how easy it is for an attacker to submit a few guesses. Some systems limit the number of times a user can enter an incorrect password before a delay is applied or the account is frozen. On the other hand, some systems provide a specially hashed version of the password so that anyone can verify its validity. When this is done, an attacker can try passwords very quickly; so much stronger passwords are necessary for reasonable security. (see password cracking section) More stringent requirements are also suitable for accounts with higher privileges, such as root or system administrator accounts.

Usability Considerations

Password policies typically represent a compromise between theoretical security and the practicality of human behavior. For example:

Requiring excessively complex passwords and changing them frequently can lead to users writing down passwords in places that would be easy for an attacker to find, for example, in Rolodex or on a paper note next to a computer.
Users often have dozens of passwords to manage. It may be more realistic to recommend using a single password for all low-security applications, such as reading online newspapers and accessing entertainment websites.
Similarly, requiring users to never write down their passwords can be unrealistic and lead users to choose weak ones (or cause a lot of inconvenience when users forget their password). Alternatively, you can suggest storing the recorded passwords in a safe place, for example, in a secure or encrypted main file. The validity of this approach depends on the most likely threat. While password logging can be problematic if potential attackers have access to a secure repository, if the threat is primarily remote attackers who do not have access to the repository, this can be a very safe method.
Enabling special characters can be a problem if the user must log on to a computer in another country. Some special characters are difficult or impossible to find on other language keyboards.
Some identity management systems allow you to reset your password yourself, where users can bypass password protection by providing answers to one or more security questions, such as “where were you born?”, “What is your favorite movie?” etc. Often the answers to these questions can be obtained through social engineering , phishing, or simple research.

An analysis of the password policies of 75 different websites in 2010 ^[10] concludes that security only partially explains the more stringent policies: exclusive service providers, such as government sites, have more stringent policies than sites where consumers have a choice (for example, retail sites and banks). The study concludes that sites with more stringent policies "do not have major security issues, they are simply better isolated from the consequences of poor use."

Other approaches are available that are generally considered more secure than simple passwords. These include the use of a security token or a one-time password system, such as S / Key , or multi-factor authentication . ^[11] However, these systems reinforce the trade-off between security and convenience: according to Schuman Gosemajumder, all these systems improve security, but come "by transferring the burden to the end user." ^[12]

NIST and FSB Recommendations

In June 2017, the U.S. National Institute of Standards and Technology (NIST) released a new revision of its digital authentication guidelines, NIST SP 800-63B-3. ^[13] Compare these principles with the rules for ensuring protection against unauthorized access by the Federal Security Service of the Russian Federation (FSB) ^[14]


Nist	FSB
Passwords must be at least 8 characters long if selected by the subscriber Password verification systems should allow the use of passwords selected by the subscriber, at least 64 characters long Verifiers can replace several consecutive spaces with one space before verification, provided that the result is at least 8 characters long, but the password is not truncated	Password must be at least 8 characters long
All printable ASCII characters as well as space must be valid in passwords. Unicode characters are also allowed. Verifiers should not impose other rules for password creation (for example, require mixing different types of characters or prohibit consecutive repeated characters) Verifiers should offer the subscriber recommendations, such as a password strength meter, to help the user choose a strong password. This is especially important after refusing the password in the above list, as it prevents the trivial modification of blacklisted (and probably very weak) passwords	The characters of the password must contain letters in the upper and lowercase numbers and special characters (@, #, $, &, *,%, etc.)
When processing requests for setting or changing passwords, reviewers compare alleged passwords with a list containing values known as frequently used, expected, or compromised. If the selected password is found in the list, the verifier informs the subscriber that it is necessary to select a different password, and indicates the reason for the refusal. The list may include, but is not limited to: Passwords obtained from previous violations [for example, Cloud databases ^[15] , hacked collections ^[16] ] Vocabulary words Passwords consisting of repeated or consecutive characters (for example, 'aaaaaa', '1234abcd'). Context-sensitive words such as service name, username, and derivatives of it	The password should not include easily calculated combinations of characters (names, surnames, etc.), as well as generally accepted abbreviations (USER, ADMIN, ALEX, etc.)
Verifiers must implement a rate limiting mechanism that effectively limits the number of failed authentication attempts that can be made on the subscriber’s account Validators must store passwords in a form that is resistant to offline attacks. Passwords should be salted and hashed using a suitable one-way key generation function . Key generation functions take a password, salt, and cost factor as input, and then generate a password hash	When changing the password, the new value must differ from the previous one in at least 4 positions
Verifiers should not allow the subscriber to store a “hint” available to an unauthenticated applicant, and verifiers should not encourage subscribers to use certain types of information (for example, “what was your first pet’s name?”) When choosing passwords	The user does not have the right to tell a personal password to anyone
Verifiers should not require arbitrary password changes (for example, periodically). However, verifiers should force change if there is evidence of password compromise	The frequency of password changes is determined by the adopted security policy, but should not exceed 6 months

Policy Application

The more complex the password policy, the more difficult it is to apply because of the difficulties with remembering or choosing the appropriate password.

Most companies require users to familiarize themselves with the password policy, as the company will require employees to keep abreast of security rules, but it is often difficult to provide an appropriate policy. Many systems, such as Microsoft Windows , which require passwords, have built-in methods for enforcing established policies. This is the only reliable way to enforce this policy.

Notes

↑ Improving Usability of Password Management with Standardized Password Policies . Retrieved on 2012-10-12.
↑ "Password Complexity Requirements" . The Bug Charmer. September 7, 2012.
↑ "How long should passwords be?" . The Bug Charmer. June 20, 2016.
↑ John D. Sutter (August 20, 2010). "How to create a 'super password'" . CNN Retrieved August 31, 2016.
↑ "The problems with forcing regular password expiry" . IA Matters. CESG: the Information Security Arm of GCHQ. April 15, 2016. Archived from the original on August 17, 2016. Retrieved Aug 5, 2016.
↑ spaf (April 19, 2006). "Security Myths and Passwords" . CERIAS.
↑ "Tip: Best Practices for Enforcing Password Policies" . Microsoft Retrieved 2018-03-01.
↑ Yinqian Zhang; Fabian Monrose; Michael K. Reiter (2010). The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis (PDF). Proceedings of the 17th ACM conference on Computer and communications security. New York, NY, US. pp. 176-186. doi : 10.1145 / 1866307.1866328 .
↑ "Choosing Secure Passwords" . Boingboing. March 2014 - via Schneier on Security.
↑ Where do security polices come from? Proc. Symp Usable Privacy and Security, 2010
↑ spaf (May 11, 2006). "Passwords and Myth" . CERIAS.
↑ Rosenbush, Steven; Norton, Steven (May 27, 2015). "For CISOs, IRS Breach Highlights Tension Between Security and User Convenience . " The Wall Street Journal.
↑ Grassi Paul A (June 2017). "SP 800-63B-3 - Digital Identity Guidelines, Authentication and Lifecycle Management" (PDF). NIST. doi : 10.6028 / NIST.SP.800-63b . Retrieved August 6, 2017. This article incorporates text from this source, which is in the public domain .
↑ CryptoPro | User profile (unspecified) . www.cryptopro.ru. Date of treatment December 14, 2018.
↑ Authlogics Cloud Password Breach Database
↑ Skullsecurity list of breached password collections

[1] Improving Usability of Password Management with Standardized Password Policies . Retrieved on 2012-10-12.

[2] "Password Complexity Requirements" . The Bug Charmer. September 7, 2012.

[3] "How long should passwords be?" . The Bug Charmer. June 20, 2016.

[4] John D. Sutter (August 20, 2010). "How to create a 'super password'" . CNN Retrieved August 31, 2016.

[5] "The problems with forcing regular password expiry" . IA Matters. CESG: the Information Security Arm of GCHQ. April 15, 2016. Archived from the original on August 17, 2016. Retrieved Aug 5, 2016.

[6] spaf (April 19, 2006). "Security Myths and Passwords" . CERIAS.

[7] "Tip: Best Practices for Enforcing Password Policies" . Microsoft Retrieved 2018-03-01.

[8] Yinqian Zhang; Fabian Monrose; Michael K. Reiter (2010). The Security of Modern Password Expiration: An Algorithmic Framework and Empirical Analysis (PDF). Proceedings of the 17th ACM conference on Computer and communications security. New York, NY, US. pp. 176-186. doi : 10.1145 / 1866307.1866328 .

[9] "Choosing Secure Passwords" . Boingboing. March 2014 - via Schneier on Security.

[10] Where do security polices come from? Proc. Symp Usable Privacy and Security, 2010

[11] spaf (May 11, 2006). "Passwords and Myth" . CERIAS.

[12] Rosenbush, Steven; Norton, Steven (May 27, 2015). "For CISOs, IRS Breach Highlights Tension Between Security and User Convenience . " The Wall Street Journal.

[13] Grassi Paul A (June 2017). "SP 800-63B-3 - Digital Identity Guidelines, Authentication and Lifecycle Management" (PDF). NIST. doi : 10.6028 / NIST.SP.800-63b . Retrieved August 6, 2017. This article incorporates text from this source, which is in the public domain .

[14] CryptoPro | User profile (unspecified) . www.cryptopro.ru. Date of treatment December 14, 2018.

[15] Authlogics Cloud Password Breach Database

[16] Skullsecurity list of breached password collections