Password security standards Summary

most popular global standards

NIST (National Institute of Standards and Technology)
PCI-DSS (Payment Card Industry Data Security Standard)
ISO 27001 (International Organization for Standardization)
OWASP (Open Web Application Security Project)
OWASP ASVS (application security verification standard)

Standards → developed to cover management practices and the overall architecture of security mechanisms and services

NIST

NIST

U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use
and to the promotion of U.S. private sector innovation

NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity
serves as an extensive set of guidelines detailing how organizations can keep cybercriminals at bay.
divided into five distinct categories: identify, protect, detect, respond, and recover. While it’s not a complete framework,
latest NIST password guidelines to enter the industry, modified in 2017 → many of the organization’s important password recommendations

NIST - guidelines for passwords

The Password length, characters and truncation :

8 char minimum → user , 6 char minimum → machine , 64 char → max char
Truncation of the secret (password) shall not be performed when processed
support ASCII - spaces - UNICODE ( emojis )

Remove the reset: – No password expiration period

As users struggle to drum up countless creative, strong new passwords each month, they end up creating weaker passwords.

Complexity isn’t king

Users who forget their complicated passwords tend to end up replacing them with new, weaker ones.

Make it a user-friendly affair

show password while typing
allowing more users to view their passwords as they enter them. Without this option, users are more motivated to choose shorter passwords that are easier to enter correctly.

Lose the clues: – No password hints

knowledge-based authentication clues can save users from the conflict of creating a new password, they are also risky.
hackers to decode hint prompts and breach systems.

Limit the attempts

maximum of 10 login attempts before they are turned away - enough to aid a forgetful user, but not enough to assist brute-force attackers

A hands-free approach

No SMS texting services for 2FA (use a one-time password from an app like Google Authenticator)
SMS delivery isn’t entirely secure → attacker insert malware into the system → redirect text messages

Check chosen password with known password dictionaries

OWASP

nonprofit foundation that works to improve the security of software through

Tools and Resources

community-led open-source software projects

Community and Networking

hundreds of local chapters worldwide,
tens of thousands of members,

Education & Training

leading educational and training conferences

source for developers and technologists to secure the web.

OWASP - guidelines for passwords

Do do not truncate passwords, every character the user types in is actually included in the password.
at least 3 out of the following 4 complexity rules

at least → 1 uppercase character (A-Z), 1 lowercase character (a-z), 1 digit (0-9), 1 special characters as ( space )

at least 10 characters, at most 128 characters
not more than 2 identical characters in a row
Ensure credential rotation when password leak or compromise identification.
Include password strength meter → to help users create a more complex password
block common and previously breached passwords

ISO

nongovernmental organization → work results in international agreements that are published as International Standards
ISO 27000 Series → Code of Practice for Information Security Management

One of the most widely referenced - Originally published as British Standard 7799 and then later as ISO/IEC 17799
guidelines for initiating, implementing, maintaining, and improving information security management

Key ISO/IEC 27002 password guidelines

enforce use → user IDs and passwords → accountability
allow users to select and change their own passwords
enforce the choice of quality passwords

easy to remember
not based on anything somebody else could easily guess - or related information
not vulnerable to dictionary attacks
free of consecutive identical as all-numeric
if temporary → changed at the first log-on.

Enforce regular password changes and as needed;
Force users to change temporary passwords at the first log-on
maintain a record of previous user passwords and prevent re-use;
not display passwords on the screen when being entered
store password files separately from application system data
store and transmit passwords in protected encrypt - hash

PCI DSS

set of requirements to ensure sensitive data is protected
privacy is maintained
networking systems are robust enough to withstand cyber-attacks

guidelines are published PCI SSC - PCI Security Standards Council
PCI SSC → global forum brings together payments industry stakeholders to develop data security standards and resources for safe payments worldwide.
PCI standards aren't specific to any one country or organization but rather function as a global set of standards that everyone can adhere to.
Requirement 2 and 8 in the document talks about password requirements for logging into cardholder data environments.

PCI DSS - password guidelines

Always change vendor defaults (passwords and settings)
remove or disable unnecessary default accounts before installing a system on the network
Remove/disable inactive user accounts within 90 days
Limit repeated access attempts by locking out the user ID - not more than six attempts
Set the lockout duration to a minimum of 30 minutes or until an administrator enables user ID
If a session has been for more than 15 minutes → require user to re-authenticate to re-activate the session
Passwords should have a minimum length of at least → seven characters and contain both numeric and alphabetic characters
Change user passwords at least once every 90 days
Do not allow an individual to submit a new password that is the same as any of the last four passwords - passphrases they have used

passphrase is basically a longer password, usually at least 14 characters in length, with spaces between words

Set passwords for first-time use → change immediately after the first use and upon reset to a unique value for each user
Enforce multi-factor authentication

NIST

NIST

U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use
and to the promotion of U.S. private sector innovation

NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity
serves as an extensive set of guidelines detailing how organizations can keep cybercriminals at bay.
divided into five distinct categories: identify, protect, detect, respond, and recover. While it’s not a complete framework,
latest NIST password guidelines to enter the industry, modified in 2017 → many of the organization’s important password recommendations

NIST - guidelines for passwords

The Password length, characters and truncation :

8 char minimum → user , 6 char minimum → machine , 64 char → max char
Truncation of the secret (password) shall not be performed when processed
support ASCII - spaces - UNICODE ( emojis )

Remove the reset: – No password expiration period

As users struggle to drum up countless creative, strong new passwords each month, they end up creating weaker passwords.

Complexity isn’t king

Users who forget their complicated passwords tend to end up replacing them with new, weaker ones.

Make it a user-friendly affair

show password while typing
allowing more users to view their passwords as they enter them. Without this option, users are more motivated to choose shorter passwords that are easier to enter correctly.

Lose the clues: – No password hints

knowledge-based authentication clues can save users from the conflict of creating a new password, they are also risky.
hackers to decode hint prompts and breach systems.

Limit the attempts

maximum of 10 login attempts before they are turned away - enough to aid a forgetful user, but not enough to assist brute-force attackers

A hands-free approach

No SMS texting services for 2FA (use a one-time password from an app like Google Authenticator)
SMS delivery isn’t entirely secure → attacker insert malware into the system → redirect text messages

Check chosen password with known password dictionaries

OWASP

nonprofit foundation that works to improve the security of software through

Tools and Resources

community-led open-source software projects

Community and Networking

hundreds of local chapters worldwide,
tens of thousands of members,

Education & Training

leading educational and training conferences

source for developers and technologists to secure the web.

OWASP - guidelines for passwords

Do do not truncate passwords, every character the user types in is actually included in the password.
at least 3 out of the following 4 complexity rules

at least → 1 uppercase character (A-Z), 1 lowercase character (a-z), 1 digit (0-9), 1 special characters as ( space )

at least 10 characters, at most 128 characters
not more than 2 identical characters in a row
Ensure credential rotation when password leak or compromise identification.
Include password strength meter → to help users create a more complex password
block common and previously breached passwords

ISO

nongovernmental organization → work results in international agreements that are published as International Standards
ISO 27000 Series → Code of Practice for Information Security Management

One of the most widely referenced - Originally published as British Standard 7799 and then later as ISO/IEC 17799
guidelines for initiating, implementing, maintaining, and improving information security management

Key ISO/IEC 27002 password guidelines

enforce use → user IDs and passwords → accountability
allow users to select and change their own passwords
enforce the choice of quality passwords

easy to remember
not based on anything somebody else could easily guess - or related information
not vulnerable to dictionary attacks
free of consecutive identical as all-numeric
if temporary → changed at the first log-on.

Enforce regular password changes and as needed;
Force users to change temporary passwords at the first log-on
maintain a record of previous user passwords and prevent re-use;
not display passwords on the screen when being entered
store password files separately from application system data
store and transmit passwords in protected encrypt - hash

PCI DSS

set of requirements to ensure sensitive data is protected
privacy is maintained
networking systems are robust enough to withstand cyber-attacks

guidelines are published PCI SSC - PCI Security Standards Council
PCI SSC → global forum brings together payments industry stakeholders to develop data security standards and resources for safe payments worldwide.
PCI standards aren't specific to any one country or organization but rather function as a global set of standards that everyone can adhere to.
Requirement 2 and 8 in the document talks about password requirements for logging into cardholder data environments.

PCI DSS - password guidelines

Always change vendor defaults (passwords and settings)
remove or disable unnecessary default accounts before installing a system on the network
Remove/disable inactive user accounts within 90 days
Limit repeated access attempts by locking out the user ID - not more than six attempts
Set the lockout duration to a minimum of 30 minutes or until an administrator enables user ID
If a session has been for more than 15 minutes → require user to re-authenticate to re-activate the session
Passwords should have a minimum length of at least → seven characters and contain both numeric and alphabetic characters
Change user passwords at least once every 90 days
Do not allow an individual to submit a new password that is the same as any of the last four passwords - passphrases they have used

passphrase is basically a longer password, usually at least 14 characters in length, with spaces between words

Set passwords for first-time use → change immediately after the first use and upon reset to a unique value for each user
Enforce multi-factor authentication