Password Strength Policy Query

General Terms and Common Definitions:

Password -

        A is a of characters that is used for user authentication to prove identity, orpassword secret word or stringfor access approval to gain access to a resource (example: an access code is a type of password).

The term is sometimes used when the secret information is purely such as thepasscode numeric, personal(PIN) commonly used for ATM access and in our case used for authentication into theidentification number

M-PIM application. Passwords are generally short enough to be easily memorized and typed.

Password strength -

        Password strength is a measure of the effectiveness of a in resisting guessing and brute-forcepasswordattacks. In its usual form, it estimates how many trials an attacker who does not have direct access to thepassword would need, on average, to guess it correctly. The strength of a password is a function of length,

complexity, and unpredictability. 1[ ]

Using strong passwords lowers overall of a security breach, but strong passwords do not replace the needriskfor other effective . The effectiveness of a password of a given strength is strongly determinedsecurity controlsby the design and implementation of the authentication system software, particularly how frequently passwordguesses can be tested by an attacker and how securely information on user passwords is stored andtransmitted. Risks are also posed by several means of breaching computer security which are unrelated topassword strength. Such means include , , , , wiretapping phishing keystroke logging social engineering dumpster

, , , and .diving shoulder surfing side-channel attacks software vulnerabilities

 

Password policy - 

 

       A password policy is the guide to choosing satisfactory passwords, hard to be replayed or hacked.

Although some are controversial they are usually intended to:

assist users in choosing strong passwordsensure the passwords are suited to the target populationrecommendations to users with regard to the handling of their passwordsa requirement to change any password which has been lost or compromised, and perhaps that nopassword be used longer than a limited time -some policies prescribe the pattern of characters which passwords must contain - characters, digits,symbols, etc.

For example, password expiration is often covered by password policies. Password expiration serves twopurposes:

if the time to crack a password is estimated to be 100 days, password expiration times fewer than 100

1.

days may help ensure insufficient time for an attacker.if a password has been compromised, requiring it to be changed regularly should limit the access time forthe attacker

Some argue that password expiration have become obsoletesince:

asking users to change passwords frequently encourages simple, weak passwords.

if one has a truly strong password, there is little point in changing it. Changing passwords which arealready strong introduces risk that the new password may be less strong.

a compromised password is likely to be used immediately by an attacker to install a backdoor, often viaprivilege escalation. Once this is accomplished, password changes won't prevent future attacker access.

mathematically it doesn't gain much security at all.Moving from never changing one's password to changing the password on every authenticateattempt (pass fail attempts) only doubles the number of attempts the attacker must make onoraverage before guessing the password in a brute force attack - one gains security justmuch moreincreasing the password length by one character than changing the password on every use.

I. Security Standards -

Passwords are very important part of computer's security.

They often serve as the first line of defense in preventing unauthorized access to computers and data. 

Because of the crucial role of passwords it is important to choose passwords that are complex and crypticenough to prevent others from guessing them or from cracking them with programs, or rainbow table dictionary

.attack

At the same time, it is also important to keep passwords secret and secure so others cannot use them or findthem.  These standards are intended to provide information of guidance about how to create good, crypticpasswords and how to keep them secure and confidential.

 

Password Strength and Security Standards -

or

II. How to create good, cryptic, hard-to-guess-or-crack passwords.

 

The following requirements are considered as essential and are mandatory and are enforced on many business,software or other web entities (sites).

 

Passwords must be at least 8 characters in length and contain at least 3 of the following 4 types ofcharacters:

 

 

lower case letters (i.e. a-z)

upper case letters (i.e. A-Z)numbers (i.e. 0-9)special characters (e.g. !@#$%^&*()_+|~-=\‘{}[]:";’<>?,./)  

    

 

Passwords for systems or applications that cannot support the above standard must be longer -- at least10 characters in length, if possible -- and incorporate the maximum complexity the system or applicationcan support.

2. In addition, passwords must:

 

Not be a word found in the dictionary (in any language), whether spelled forwards or backwards, or aword preceded or followed by a digit (e.g., secret1, 1secret)

Not include user name or login name.

Not be a common keyboard sequence, such as "qwerty89" or "abc123"

Not be from examples you have seen in print, such as the ones on this page.

 

 

 

III. How to keep your password secret and secure -

 

1. Do not share your passwords with anyone else, or in any way publish them.

2. Avoid writing passwords down.

Whenever possible, change passwords to something you can easily remember.

One way to do this is to create a password from a familiar phrase (see Additional Tips and Hints formore information).

Once you have a good, strong, memorable password, you can come up with a system to modify itslightly for each system or application. Then you only have to remember your base password andyour system.

If you have to write a password down, try to write it in a way that others won't be able to decypher -- suchas using a hint for part of it -- and store it securely in a safe, unlikely-to-be-discovered location, e.g., notunder the keyboard or on your monitor.

Passwords can also be securely stored using a variety of free and low-cost "password vault-type"encryption tools. See #5 in this section for details.

3. If you think your password may have been compromised, notify the Support (Contact, Customer. Etc.)Center and/or your supervisor.

4. Change passwords provided for initial access or password resets as soon as possible.

Information for doing this should be provided with the password. If it is not, contact the person or office issuingthe password for instructions.

5. Don’t let your applications or browser remember/store passwords that provide access to restricted systems ordata.

That way if someone gets access to your computer, they don’t also get access to all of your accounts.

Passwords can be securely stored using a variety of free and low-cost "password vault-type" encryptiontools including your computer's key-chain, , , , PasswordSafe ( )/(LastPass 1password Password Wallet PC

), and   (PC) /  (Mac).Mac KeePass  KeyPassX

Important notes:

Master passwords providing access to these tools must meet the minimum strength and securitystandards stated in these Standards. For keychains, this is the password used to access the computer.Do not store passwords providing access to restricted data on service provider's websites, publiccomputers, non-personal devices. 

6. Use different passwords for accounts that provide access to restricted data than for your less-sensitive orpersonal accounts.

For additional security, use a different password for each account that provides access to sensitive data;that way if one of your passwords is compromised, your others are still OK. 

 

7. Ensure that passwords are transmitted securely.

Before you log into something via the web, look for in the URL to indicate that there is “https” (not http)a secure connection.

.If this is missing, request a secure web page from the service provider that you can use to log in

Make sure that any applications you log into on your computer (such as email) are set for secure

authentication.

 

Additional Tip and Hints:

 

Longer passwords are better.

Avoid including personal information, names of family, places, pets, birthdays, address, hobbies, licenseplate number, etc.

Avoid words that are slang, dialect, jargon, etc.

A password consisting of several words separated by spaces can actually be more secure and easier toremember than a more complicated, obscure one.

Basing your password on a phrase that is familiar to you is one way to generate a password that ismemorable to you, but obscure to others. For example, "The hills are alive with the sound ofmusic!!" is actually a pretty good password, except for the fact that that it is inconveniently long andpublished here. A shorter version could be, “Hills! alive! Music!” or, using a variant on the first letterof each word, "ThRawts0m!".

A few memorable, unrelated words can also be a good password, such as "correct horse battery staple"

or, if the system requires additional complexity, “Correct horse battery staple!”

Passwords shouldn't be   common ( is  common. is pretty common and is alsotoo Password1 very 2bor!2bonly 7 characters in length).

Be aware that automatic "password cracker" programs check for common symbol substitutions in words,such as "0" for "o" and "$" for "s". Simply substituting common symbols for letters in a dictionary word,e.g. "Pa$$w0rd" instead of "Password," might result in a guessable password even though it technicallymeets the above requirements. (Passwords that are found vulnerable by automatic password strength checkers may be rejected).

Microsoft's password strength checker is a handy tool to help gauge the strength of a password.

examples:

 

        strength password -    Weak AaSsDdG

 

             strength password - Medium cdxsza1126

 

    strength password - Strong St@bleDog&Hum@N

 

 

IV. Additional Requirements -

 

1. Passwords provided as initial passwords or password resets must meet the Minimum PasswordRequirements.

("Changeme", "admin", "pass1", "Passw0rd" and other common passwords found in password crackers should notbe used.)

 

Passwords provided as initial passwords or password resets also a fixed password or amust not bepublished/easy-to-figure-out formula that, if discovered, could be used to gain unauthorized access to asystem or application.

Passwords provided for initial access or password resets must be unique.

2. Ensure that end users are aware of the above password strength standards when it is not possible forapplications and systems to enforce them technically.

3. Ensure secure transmission and storage of passwords.

4. Instruct users to change passwords provided for initial access or password resets as soon as possible afterinitial use and provide instructions for doing so. Alternatively, temporary passwords can be set to expire uponinitial use.

5. Give users advance notice about password requirements so they can come up with well-thought-out,memorable passwords instead of spur-of-the moment ones. -

6. Passwords used for privileged access must not be the same as those used for non-privileged access.

7. Administrator-level access to restricted data, computers or networks must be able to identify the individualperforming the access, e.g. via a unique user ID/password and elevated permissions as opposed to utilizing ashared admin or root account.

8. Report potential password security compromises to the Support Center.

9. Service Providers should consider using Identity Management (IdM) Services (Shibboleth for example), forauthentication to their applications.

10. Where possible and applicable, applications and systems must be configured to enforce there passwordcomplexity standards.

11. Passwords provided for initial access and password resets much be set to expire upon initial use, wherefeasible.

12. initial passwords must be set to expire after no more than 90 days and password resets must be set toexpire after 6 to 12 hours when possible to prevent unauthorized account access.

 

 

 

Note: This requirement is not intended to imply that passwords must expire periodically. It is, instead,intended to prevent the misuse of initial and temporary passwords.

13. Systems must be configured to prevent resubmission of previously used password within 12 months no less.