Standards → developed to cover management practices and the overall architecture of security mechanisms and services
NIST
NIST
U.S. federal agency that deals with measurement science, standards, and technology related to U.S. government use
and to the promotion of U.S. private sector innovation
NIST Cybersecurity Framework
Framework for Improving Critical Infrastructure Cybersecurity
serves as an extensive set of guidelines detailing how organizations can keep cybercriminals at bay.
divided into five distinct categories: identify, protect, detect, respond, and recover. While it’s not a complete framework,
latest NIST password guidelines to enter the industry, modified in 2017 → many of the organization’s important password recommendations
NIST - guidelines for passwords
The Password length, characters and truncation :
8 char minimum → user , 6 char minimum → machine , 64 char → max char
Truncation of the secret (password) shall not be performed when processed
support ASCII - spaces - UNICODE ( emojis )
Remove the reset: – No password expiration period
As users struggle to drum up countless creative, strong new passwords each month, they end up creating weaker passwords.
Complexity isn’t king
Users who forget their complicated passwords tend to end up replacing them with new, weaker ones.
Make it a user-friendly affair
show password while typing
allowing more users to view their passwords as they enter them. Without this option, users are more motivated to choose shorter passwords that are easier to enter correctly.
Lose the clues: – No password hints
knowledge-based authentication clues can save users from the conflict of creating a new password, they are also risky.
hackers to decode hint prompts and breach systems.
Limit the attempts
maximum of 10 login attempts before they are turned away - enough to aid a forgetful user, but not enough to assist brute-force attackers
A hands-free approach
No SMS texting services for 2FA (use a one-time password from an app like Google Authenticator)
SMS delivery isn’t entirely secure → attacker insert malware into the system → redirect text messages
Check chosen password with known password dictionaries
OWASP
nonprofit foundation that works to improve the security of software through
Tools and Resources
community-led open-source software projects
Community and Networking
hundreds of local chapters worldwide,
tens of thousands of members,
Education & Training
leading educational and training conferences
source for developers and technologists to secure the web.
OWASP - guidelines for passwords
Do do not truncate passwords, every character the user types in is actually included in the password.
at least 3 out of the following 4 complexity rules
at least → 1 uppercase character (A-Z), 1 lowercase character (a-z), 1 digit (0-9), 1 special characters as ( space )
at least 10 characters, at most 128 characters
not more than 2 identical characters in a row
Ensure credential rotation when password leak or compromise identification.
Include password strength meter → to help users create a more complex password
block common and previously breached passwords
ISO
nongovernmental organization → work results in international agreements that are published as International Standards
ISO 27000 Series → Code of Practice for Information Security Management
One of the most widely referenced - Originally published as British Standard 7799 and then later as ISO/IEC 17799
guidelines for initiating, implementing, maintaining, and improving information security management
Key ISO/IEC 27002 password guidelines
enforce use → user IDs and passwords → accountability
allow users to select and change their own passwords
enforce the choice of quality passwords
easy to remember
not based on anything somebody else could easily guess - or related information
not vulnerable to dictionary attacks
free of consecutive identical as all-numeric
if temporary → changed at the first log-on.
Enforce regular password changes and as needed;
Force users to change temporary passwords at the first log-on
maintain a record of previous user passwords and prevent re-use;
not display passwords on the screen when being entered
store password files separately from application system data
store and transmit passwords in protected encrypt - hash
PCI DSS
set of requirements to ensure sensitive data is protected
privacy is maintained
networking systems are robust enough to withstand cyber-attacks
guidelines are published PCI SSC - PCI Security Standards Council
PCI SSC → global forum brings together payments industry stakeholders to develop data security standards and resources for safe payments worldwide.
PCI standards aren't specific to any one country or organization but rather function as a global set of standards that everyone can adhere to.
Requirement 2 and 8 in the document talks about password requirements for logging into cardholder data environments.
PCI DSS - password guidelines
Always change vendor defaults (passwords and settings)
remove or disable unnecessary default accounts before installing a system on the network
Remove/disable inactive user accounts within 90 days
Limit repeated access attempts by locking out the user ID - not more than six attempts
Set the lockout duration to a minimum of 30 minutes or until an administrator enables user ID
If a session has been for more than 15 minutes → require user to re-authenticate to re-activate the session
Passwords should have a minimum length of at least → seven characters and contain both numeric and alphabetic characters
Change user passwords at least once every 90 days
Do not allow an individual to submit a new password that is the same as any of the last four passwords - passphrases they have used
passphrase is basically a longer password, usually at least 14 characters in length, with spaces between words
Set passwords for first-time use → change immediately after the first use and upon reset to a unique value for each user
