Password Security Practices

General Recommendations

Below is a list of general recommendations for password selection and password usage policy. Please note that the list is not exhaustive, as each organization often has its own unique security needs.

Password Selection

• Use multi-factor authentication in all corporate systems accessible from the internet. It is better to use multi-factor authentication wherever it is available.

• Use a password manager to store and generate passwords.

• Use passwords that are at least 15 characters long.

• Avoid reusing passwords.

Password Policy

• Avoid overly complex password creation requirements – choose an appropriate
password length.

• Change passwords when signs or suspicions of compromise appear.

• Use single sign-on (SSO) to make it easier for users to access the organization's systems.

• Use multi-factor authentication for all remote access solutions (e.g., VPN) and privileged accounts.

• Create a blacklist of commonly used passwords so that users
cannot use them.

• Implement advanced password handling practices and regular employee awareness activities on password usage.

Problems related to passwords

Strong passwords are complex and usually require a combination of uppercase and lowercase letters, numbers, and special characters. In addition, organizations often set minimum password length rules, and in some cases, regular password changes may be required.

Many users struggle with password requirements, especially when they have to remember many complex passwords. This often leads users to use workarounds and unsafe alternatives, including reusing the same passwords across different systems, using simple and predictable ways to create passwords, and storing passwords in unsafe places.

Attackers use tactics such as brute force, rainbow tables (a method of quickly finding the password value by its hash), dictionary attacks (in July 2024, a file named rockyou2024 containing 9,948,575,739 unique passwords was discovered on a hacker forum), password spraying attacks (a cyberattack tactic where an attacker uses one password to try to break into multiple target accounts), and other types of attacks.

Common methods of creating undesirable passwords

Most users, when creating new passwords, choose the simplest possible password that meets corporate security requirements. For example:

• If the minimum password length is set to 8 characters, users will often create passwords that do not exceed 8 characters.

• If the password must contain uppercase letters, using an uppercase first letter is common practice.

• If the password requires the use of numbers, users often place numbers
at the end of the password. Numbers from 0 to 99 or numbers
indicating the user's year of birth are quite common. Replacing letters with similar numbers is also common practice, for example, replacing the letter "e" with the number "3" or the letter "o" with the number "0", etc.

• If the password must contain special characters, users often include only one character. Some special characters seem more popular than others, such as "@" and "!".

• If regular password changes are required, many users will choose cyclic words such as seasons, quarters, months, etc.

• Some words and numbers are very popular and therefore widely used in
passwords. The most commonly used passwords are "123456", "password" and
letters typed sequentially on the keyboard, such as "qwerty".

• The password often matches the user's first or last name or part of it.

• The password contains the names of family members, friends, pets, etc.

• Due to mandatory periodic password changes, users often make small changes to old passwords rather than creating completely new ones.

Password Strength

If an organization imposes password complexity requirements, it leads to the assumption that the organization's passwords are secure, but this is not necessarily the case. For example, if the minimum password length is fifteen characters with a combination of uppercase and lowercase letters, numbers, and special characters, a password that meets the requirements might look like this:

Password123456!

Commonly Used Passwords

As in the example above, where the password cannot be considered secure despite meeting formal requirements, many users inadvertently choose a simple password that hackers can easily crack. Lists of commonly used passwords are readily available online and can be used against one or more logins.

Use of Leaked Passwords

When websites or other online resources become the target of data breaches, usernames and passwords become available online and are quickly added by attackers to the list of leaked passwords to try.

The website https://haveibeenpwned.com allows users to check if their login credentials or accounts from their domain
have been compromised as a result of a data breach. You should never check active passwords.

What Makes a Strong Password?

It is difficult to give specific advice on how to create passwords that can withstand any situation and threat. Therefore, it is important to conduct a risk assessment to determine which set of protective measures provides the right balance between security controls and convenience depending on the sensitivity of the asset that the password protects.

If single sign-on is used to provide access to multiple systems, security requirements should be based on the most critical of the systems. Systems connected to the Internet are often more vulnerable to attacks than internal systems not connected to the Internet.

Passwords and passphrases

There are many recommendations for choosing a password. Regardless of the chosen method, it is important that passwords remain confidential. It is also important to choose an appropriate password length, ideally at least 15 characters, especially if multi-factor authentication is not enabled.

If a password manager is used, which relieves the user from the need to remember all their unique passwords (e.g., bitwarden or LastPass), it is still recommended to use complex and long passwords. Such passwords can often be generated by the password manager itself.

Another approach is to create a passphrase consisting of a random string of easily memorable words that add length to the password. If a combination of common words is used, it is important to increase the minimum password length to 20 characters.

Passwordless Access

Since passwords can be difficult to remember, easily guessable, often reused, and appear in data breaches, international forums have attempted to find alternatives to passwords.

An example is the FIDO2 standard, which provides easy and secure access to websites or operating systems by using a pair of public/private keys instead of passwords. FIDO2-based authentication not only solves many problems associated with the usual use of passwords but is also easy for the user to manage.

To access without a password, for example, an online service requires a user account and the generation of a unique pair of public/private keys. First, the user must choose an authentication method supported by the Identity provider (e.g., mobile phone or USB hardware key). The user opens the selected authenticator using fingerprints, a hardware key, or a PIN code, after which a unique key pair is generated. This key pair is uniquely tied to the authenticator, user account, and Identity provider. The public key is sent to the Identity provider for storage for subsequent verification.

When the user later accesses the services of this online service and enters their username, the Identity provider sends a long string of random numbers to the user's device. All the user needs to do is open the authenticator, just as they did during the registration phase (e.g., using fingerprints). The device then finds the corresponding private key, encrypts the number using the key, and sends the result back to the Identity provider. The Identity provider verifies the received number using the public key stored for the user, confirming that the user has access to their private key. Provided the verification is successful, the user is granted access to the online service.

During the authentication process using FIDO2, no passwords are transmitted over the Internet, just as no passwords or other confidential information are stored in the online service. Thus, the FIDO2 authentication process eliminates many of the risks associated with the regular use of passwords, while still allowing the user to easily access the service.

CFCS Recommendations

• the minimum password length should be 15 characters.

• if passphrases can be used - key phrases of 5 words with a total length of at least 20 characters should be used.

• passwords should never contain information that can be associated with the user or organization, such as brands.

• passwords should not be reused.

Multi-factor Authentication

Today, most systems offer multi-factor authentication – one of the most effective security measures to enhance login security. If multi-factor authentication is implemented, password strength requirements can be reduced – both in terms of length and complexity.

Multi-factor authentication is a method of authentication in which a user is granted access after entering their login along with two or three of the following
authentication factors:

• Something the user knows (PIN or password).

• Something the user has (key card or USB keys).

• User's biometric data (face or fingerprint recognition).

Multi-factor authentication most often requires a combination of verification factors, such as a password (something the user knows) and a mobile phone (something the user has) to access a device or service.

Multi-factor authentication is already widely used, often in connection with remote access or online banking services. Since multi-factor authentication provides very reliable login security, implementation is recommended wherever possible, and at least in systems requiring a high level of security. If, for example, an account can be used to reset forgotten passwords for other accounts, it should be protected by multi-factor authentication.

Several different methods are available for multi-factor authentication, including mobile apps that generate one-time codes or request confirmation when attempting to log in, user biometrics such as fingerprints or facial recognition, and USB keys (the latter is also an option in connection with passwordless access).

Multi-factor authentication based on codes delivered via SMS is considered less secure than other methods and should be avoided. If for some reason this is the only available approach, it is better than relying on passwords alone.

Remote user access

For remote user access, multi-factor authentication should always be used. A remote access user often accesses the organization's networks from less secure remote locations, such as their own home network, hotel rooms, or cafes. These locations may not have security measures in place, and thus passwords may be more vulnerable to compromise.

CFCS Recommendations

• Multi-factor authentication should be implemented wherever possible.

• Multi-factor authentication should always be used for access to privileged accounts.

• Multi-factor authentication should always be used for remote access to internal systems.

User Awareness and Training

It is important that organization users understand the internal password usage policy and adhere to the rules for using and creating passwords regardless of password strength. Additionally, users should be aware of hacking methods. Users should know what warning signs to look out for and how to respond if contacted by individuals posing as IT colleagues asking to check or reset a password, or if they receive unexpected or suspicious-looking emails.

Management is responsible for drawing users' attention to the organization's cybersecurity culture and, consequently, for informing them of any new attack methods. Security training should be conducted to familiarize users with password reliability issues and general security recommendations.

CFCS Recommendations

• Management should plan and implement password policy training to raise awareness among the organization's users.

Changing all default passwords

IT equipment and software often come with default system accounts and passwords set by the manufacturer. Hackers are well aware of this, and therefore, before deploying vendor-supplied equipment and software, passwords must always be changed.

Default passwords can serve as entry points for hackers to access the organization's IT systems and, consequently, critical business information. Default passwords and logins can be found on the Internet, and if they have not been changed, hackers often have little difficulty gaining access. A key area deserving attention is preparing a procedure for changing default passwords, such as passwords for routers, printers, registration servers, and NGFW, to ensure they have been changed before activation.

To ensure that organizations do not use supplier-provided devices with default passwords when deploying hardware or software, it is important that access to hardware and software is subject to regular checks.

CFCS Recommendations

• Default passwords should be changed as a standard procedure when deploying hardware or software.

Focus on Privileged Accounts

Some accounts require more protection than others. Compromise of administrator, service, and remote user accounts carries a high risk of unauthorized access to important information, making additional protection of such accounts a priority. Thus, access to such accounts should be protected with multi-factor authentication along with longer and more complex passwords.

Administrator Rights

Ordinary users generally do not need elevated rights to IT systems and
infrastructure. User rights should always be allocated based on production needs.

The role of a system administrator includes tasks that ensure access to critical system infrastructure, maintenance of internal IT systems, etc. As a result, administrative accounts are prime targets for many hackers. Access to administrator accounts must be protected with
multi-factor authentication. If for any reason this is not possible, longer and more complex passwords should be used. Administrator accounts should only be used for tasks that require elevated privileges.

For everyday tasks such as managing email and accessing the Internet, employees with administrator roles should use an unprivileged account without administrator rights.

Administrative accounts must be personal, and the password should only be known to the administrator who owns the account. When employees with administrative rights leave, their privileged accounts must be immediately closed, and the passwords to all service accounts known to them should be changed. On some privileged account management platforms, this process can be automated or completely avoided by using one-time passwords for administrative tasks.

Privilege Management

To ensure better oversight of an organization's privileged accounts, a privileged access management (PAM) system (e.g., Teleport) can be used. PAM solutions are designed to manage, monitor, and protect privileged rights and can be used to centralize and streamline the management of privileged accounts.

CFCS Recommendations

• Administrative accounts should be used exclusively for actions requiring administrative privileges.

• Privileged accounts should be protected by multi-factor authentication.

• A fixed and documented process should be used to close privileged access for departing administrators.

Account Lockout and Login Monitoring

Organizations should take all steps to make it as difficult as possible for hackers to penetrate IT systems containing business-critical information. The following solutions can be implemented to protect against several different types of hacker attacks.

Account Lockout

Account lockout can be a way to prevent hackers from using online attacks to crack passwords and penetrate internal IT systems. A user's account is locked as soon as the user or an attacker exceeds a predefined threshold of login attempts, preventing dictionary or brute-force attacks.

Thus, the organization should prepare an account lockout policy that defines the allowable number of failed login attempts. An unexpectedly large number of login attempts on an account may indicate malicious activity.

The policy should specify the number of minutes that must pass after a failed login attempt before the failed login attempt counter is reset. There is a significant difference - whether a hacker is allowed to make the maximum number of failed login attempts every half hour or only once a day before the account is locked.

It is also important to ensure that the policy specifies ways to unlock locked accounts. It is problematic if a user can simply call support and request to unlock their account and immediately provide a new temporary password over the phone. In such cases, a hacker can impersonate the user and thus gain access to the account. A potential solution to this particular problem could be to assign the user a temporary one-time password through a colleague or reset the password using an existing multi-factor authentication method.

It is advisable to avoid using secret questions like "What is my father's name?" for self-unlocking the account, as this approach carries the risk that hackers can easily find out the answer to such questions using social engineering tactics and open sources such as social networks.

Delay of new login attempts

Another method is the so-called regulation or delay of new login attempts. With this method, the account is not blocked, but for each unsuccessful login attempt – or after a certain number of unsuccessful login attempts – a temporary delay is set before a new login attempt is allowed. This delay can increase exponentially with each unsuccessful login attempt.

User login notification

If the user logs in from a device unknown to the system, a login notification sent to the user, for example, by mail or text message, can help increase the chances of detecting an account breach, allowing prompt action to be taken.

Login monitoring and logging

In order to counter potential security breaches, it is recommended to monitor login attempts. Monitoring is often carried out automatically using software that notifies the appropriate personnel if, for example, the number of login attempts deviates from the normal rate. The monitoring tool's alert threshold can be set to reflect the criticality or sensitivity of the system in question. CFCS often encounters organizations that have been the target of cyberattacks, where it was later found that key event log files from the affected IT systems were unavailable for attack analysis. Logging security events in an organization's infrastructure is essential for detecting and effectively identifying the consequences of cyberattacks.

CFCS Recommendations

• account lockout or "login delay" should be used.

• the organization should adhere to a fixed process for unlocking locked accounts.

• login attempts should be logged and logins monitored.

Secure Handling of Passwords in Systems

Organizations should ensure confidentiality during the use, transmission, and storage of passwords.

Use of Passwords

Login pages in systems used by the organization should allow copying
passwords into the password field, making it easier to use password managers. It is also recommended that when choosing a password, users are notified if the chosen password is frequently used or known from previous leaks.

Organizations should strive to apply multi-factor authentication as much as possible in the systems used and use the ability to support passwordless FIDO2 authentication when implementing new systems.

Password Transmission

It is recommended to use an encrypted communication channel whenever a password is entered or otherwise exchanged between devices/systems over the network.

Password Storage

Passwords should not be stored as plain text in text files. If the password database is compromised, it is important that the data is stored securely so that hackers cannot use this information directly.

Unlike encryption, converting passwords to hash values is a one-way mechanism. Hashing requires a standard implementation of proven hash functions created exclusively for passwords.

As an additional layer of security, a unique value, the so-called "salt", is added to each password before hashing. This method ensures that even if the passwords are identical, the resulting stored value is unique, protecting against rainbow table attacks.

If the system supports passwordless access via the FIDO2 standard, the need for secure password storage is obviously reduced.

CFCS Recommendations

• User interfaces should allow the use of password managers.

• User interfaces should be designed to help users choose secure passwords.

• A blacklist of passwords should be created to prevent the use of commonly used passwords.

• All password transmission should be done over encrypted connections.

• Only hashed values based on unique salts should be stored. Hashing should be performed using standard implementations of proven password hashing functions.

Welcome to our TG @defhubcommunity, there is a lot of interesting and useful information about cybersecurity.