Passwords, Shared Secrets, PINs, “Security Questions,” and more.

The most familiar component of cybersecurity, recognized world-wide, is the password. Everyone deals with passwords in their personal life, even if they don’t use the Internet at all. What are we talking about? Think about all the various pins, pass phrases, and codes you’ve had to keep track of throughout your life – from the magic word (“please”) you learned as a kid to the spinlock on your travel luggage you use as an adult. And if you do use the Internet, well, then you may have 100 different accounts that each have a password (that is supposed to be unique and memorized)! How is one to manage this challenge?

Information technology personnel know the pain of password management better than anyone. They are the ones who come across a sticky note under the CEO’s keyboard with the credentials for their email account. Should the IT person say something or let it go? When they say something, the response is usually some combination of “you keep making me change my password,” “I have too many passwords to keep track of,” “they are just too long,” and “I can’t remember them because…”

Every IT person has many tragic password stories to share. Here are a few of our very real favorite examples:

  • The user’s login username and password are on a sticky note attached to their monitor. Note: putting the sticky note under the keyboard is not a solution!

  • The user emails IT Support with their username and password provided in cleartext, hoping that might help IT troubleshoot.

  • After receiving a email from the Help Desk with the subject “IT Massage,” a user clicks the link provided and enters their username and password. Shortly after this, their email is compromised.

  • A user used the same password… everywhere. After one of their social media providers was breached, the bad guys took over all of their accounts – including work.

US Government Recommendations.

NIST released SP 800-63B Rev 3 in March 2020, and they attempted to address the issue of users with stickies under their keyboards. Included in the recommendations for identity management is a discussion of usability considerations (Section 10) and the strength of passwords (Appendix A). Some of the recommendations regarding “memorized secrets” may surprise you, including an 8 character minimum and no complexity requirements. Note that NIST uses the term “memorized secrets” for passwords or, when numeric, personal identification numbers (PINs). Most of the recommendations on passwords are located in Section 5.1.1 of SP 800-63B.

Four items in the updated recommendations stood out to us here at Overt:

(1) SP 800-63B Section 5.1.1.1, Paragraph 1: “Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber.” …

(2) No other complexity requirements for memorized secrets SHOULD be imposed.

(3) SP 800-63B Section 5.1.1.2, Paragraph 9: “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

(4) SP 800-63B Section 5.1.3.3, Paragraph 1: “Use of the PSTN for out-of-band verification is RESTRICTED as described in this section…”

Overt Channel Recommendations.

Using the NIST recommendations as a baseline, below is Overt’s list of password strategies:

  1. Use unique passwords for each system. In other words, avoid password reuse.
  2. Never share a password or security token. A password should never appear in an email.
  3. Require a minimum of 12 characters for user-created passwords; require 16 characters for Administrator accounts.
  4. Require basic complexity requirements: minimum of one uppercase, one lowercase, one number, and one special character.
  5. Support at least up to 64 characters in length.
  6. Support printable ASCII characters, including spaces.
  7. Compare user-created passwords against a blacklist and prevent passwords that include, for example: Passwords obtained from threat feeds, including previous breaches; Dictionary words; Repetitive or sequential characters, such as “abc123”; Context-specific words, such as the username.
  8. Require password change if evidence of compromise.
  9. Require multi-factor authentication whenever possible. Administrative accounts should use token-generator apps or FOBs.
  10. Implement single sign-on or federation; seek having a single identity authority.
  11. Provide an enterprise password manager to users.
  12. Provide education to users, including reminders to never share a password, to never reuse a password, how to create a password, and why passwords are important. Encourage users to “take home” these lessons and apply them to personal accounts.

When prompting a user to enter a password:

  • Provide NO hints or prompts.
  • Provide an option to view the password as it is being entered.
  • Allow 10 attempts before account lockout.
  • Allow pasting of passwords to facilitate the use of password managers.

Other rules, applicable to developers and systems designers, include:

  • When processing passwords, truncating is NOT allowed.
  • When storing passwords, salting and hashing is required.

Physical, human, and cyber security.

 

SECURITY

SETS YOU FREE.