SlideShare uma empresa Scribd logo

Password Strength Policy Query

Gloria Stoilova
Gloria Stoilova

I. Passwords are an important security measure that require complexity to prevent unauthorized access. Standards recommend passwords be at least 8 characters including 3 of 4 character types and not based on dictionary words. II. Passwords should be complex, unique, and not related to the user. Common substitutions like 0 for o don't strengthen passwords. III. Passwords must be kept secret, changed if compromised, and different for different accounts and levels of access. Secure transmission is also important.

Tecnologia
1 de 10
Baixar para ler offline
Password Strength Policy Query General Terms and Common Definitions: Password A password is a secret word or string of characters that is used for user authentication to prove identity, or for access approval to gain access to a resource (example: an access code is a type of password). The term passcode is sometimes used when the secret information is purely numeric, such as the personal identification number (PIN) commonly used for ATM access and in our case used for authentication into the M-PIM application. Passwords are generally short enough to be easily memorized and typed. Password strength - Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.[1] Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls. The effectiveness of a password of a given strength is strongly determined by the design and implementation of the authentication system software, particularly how frequently password guesses can be tested by an attacker and how securely information on user passwords is stored and transmitted. Risks are also posed by several means of breaching computer security which are unrelated to password strength. Such means include wiretapping, phishing, keystroke logging, social engineering, dumpster diving, shoulder surfing, side-channel attacks, and software vulnerabilities. Password policy - A password policy is the guide to choosing satisfactory passwords, hard to be replayed or hacked. Although some are controversial they are usually intended to: assist users in choosing strong passwords ensure the passwords are suited to the target population recommendations to users with regard to the handling of their passwords a requirement to change any password which has been lost or compromised, and perhaps that no password be used longer than a limited time some policies prescribe the pattern of characters which passwords must contain - characters, digits, symbols, etc. For example, password expiration is often covered by password policies. Password expiration serves two purposes: if the time to crack a password is estimated to be 100 days, password expiration times fewer than 100
days may help ensure insufficient time for an attacker. if a password has been compromised, requiring it to be changed regularly should limit the access time for the attacker Some argue that password expiration have become obsoletesince: asking users to change passwords frequently encourages simple, weak passwords. if one has a truly strong password, there is little point in changing it. Changing passwords which are already strong introduces risk that the new password may be less strong. a compromised password is likely to be used immediately by an attacker to install a backdoor, often via privilege escalation. Once this is accomplished, password changes won't prevent future attacker access. mathematically it doesn't gain much security at all. Moving from never changing one's password to changing the password on every authenticate attempt (pass or fail attempts) only doubles the number of attempts the attacker must make on average before guessing the password in a brute force attack - one gains much more security just increasing the password length by one character than changing the password on every use. I. Security Standards Passwords are very important part of computer's security. They often serve as the first line of defense in preventing unauthorized access to computers and data. Because of the crucial role of passwords it is important to choose passwords that are complex and cryptic enough to prevent others from guessing them or from cracking them with programs,rainbow table or dictionary attack. At the same time, it is also important to keep passwords secret and secure so others cannot use them or find them. These standards are intended to provide information of guidance about how to create good, cryptic passwords and how to keep them secure and confidential. Password Strength and Security Standards or II. How to create good, cryptic, hard-to-guess-or-crack passwords. The following requirements are considered as essential and are mandatory and are enforced on many business, software or other web entities (sites). 1. Passwords must be at least 8 characters in length and contain at least 3 of the following 4 types of characters: lower case letters (i.e. a-z)
upper case letters (i.e. A-Z) numbers (i.e. 0-9) special characters (e.g. !@#$%^&*()_+|~-=‘{}[]:";’<>?,./) Passwords for systems or applications that cannot support the above standard must be longer -- at least 10 characters in length, if possible -- and incorporate the maximum complexity the system or application can support. 2. In addition, passwords must: Not be a word found in the dictionary (in any language), whether spelled forwards or backwards, or a word preceded or followed by a digit (e.g., secret1, 1secret) Not include user name or login name. Not be a common keyboard sequence, such as "qwerty89" or "abc123" Not be from examples you have seen in print, such as the ones on this page.
III. How to keep your password secret and secure - 1. Do not share your passwords with anyone else, or in any way publish them. 2. Avoid writing passwords down. Whenever possible, change passwords to something you can easily remember. One way to do this is to create a password from a familiar phrase (see Additional Tips and Hints for more information). Once you have a good, strong, memorable password, you can come up with a system to modify it slightly for each system or application. Then you only have to remember your base password and your system. If you have to write a password down, try to write it in a way that others won't be able to decypher -- such as using a hint for part of it -- and store it securely in a safe, unlikely-to-be-discovered location, e.g., not under the keyboard or on your monitor. Passwords can also be securely stored using a variety of free and low-cost "password vault-type" encryption tools. See #5 in this section for details. 3. If you think your password may have been compromised, notify the Support (Contact, Customer. Etc.) Center and/or your supervisor. 4. Change passwords provided for initial access or password resets as soon as possible. Information for doing this should be provided with the password. If it is not, contact the person or office issuing the password for instructions. 5. Don’t let your applications or browser remember/store passwords that provide access to restricted systems or data.
That way if someone gets access to your computer, they don’t also get access to all of your accounts. Passwords can be securely stored using a variety of free and low-cost "password vault-type" encryption tools including your computer's key-chain, LastPass, 1password, Password Wallet, PasswordSafe (PC)/( Mac), and KeePass (PC) / KeyPassX (Mac). Important notes: Master passwords providing access to these tools must meet the minimum strength and security standards stated in these Standards. For keychains, this is the password used to access the computer. Do not store passwords providing access to restricted data on service provider's websites, public computers, non-personal devices. 6. Use different passwords for accounts that provide access to restricted data than for your less-sensitive or personal accounts. For additional security, use a different password for each account that provides access to sensitive data; that way if one of your passwords is compromised, your others are still OK. 7. Ensure that passwords are transmitted securely. Before you log into something via the web, look for “https” (not http) in the URL to indicate that there is a secure connection. If this is missing, request a secure web page from the service provider that you can use to log in . Make sure that any applications you log into on your computer (such as email) are set for secure
authentication. Additional Tip and Hints: Longer passwords are better. Avoid including personal information, names of family, places, pets, birthdays, address, hobbies, license plate number, etc. Avoid words that are slang, dialect, jargon, etc. A password consisting of several words separated by spaces can actually be more secure and easier to remember than a more complicated, obscure one. Basing your password on a phrase that is familiar to you is one way to generate a password that is memorable to you, but obscure to others. For example, "The hills are alive with the sound of music!!" is actually a pretty good password, except for the fact that that it is inconveniently long and published here. A shorter version could be, “Hills! alive! Music!” or, using a variant on the first letter of each word, "ThRawts0m!". A few memorable, unrelated words can also be a good password, such as "correct horse battery staple" or, if the system requires additional complexity, “Correct horse battery staple!” Passwords shouldn't be too common (Password1 is very common. 2bor!2b is pretty common and is also only 7 characters in length).
Be aware that automatic "password cracker" programs check for common symbol substitutions in words, such as "0" for "o" and "$" for "s". Simply substituting common symbols for letters in a dictionary word, e.g. "Pa$$w0rd" instead of "Password," might result in a guessable password even though it technically meets the above requirements. (Passwords that are found vulnerable by automatic password strength checkers may be rejected). Microsoft's password strength checker is a handy tool to help gauge the strength of a password. examples: Weak strength password - AaSsDdG Medium strength password - cdxsza1126
Strong strength password - St@bleDog&Hum@N IV. Additional Requirements - 1. Passwords provided as initial passwords or password resets must meet the Minimum Password Requirements. ("Changeme", "admin", "pass1", "Passw0rd" and other common passwords found in password crackers should not be used.) Passwords provided as initial passwords or password resets also must not be a fixed password or a published/easy-to-figure-out formula that, if discovered, could be used to gain unauthorized access to a system or application. Passwords provided for initial access or password resets must be unique. 2. Ensure that end users are aware of the above password strength standards when it is not possible for applications and systems to enforce them technically. 3. Ensure secure transmission and storage of passwords. 4. Instruct users to change passwords provided for initial access or password resets as soon as possible after initial use and provide instructions for doing so. Alternatively, temporary passwords can be set to expire upon initial use. 5. Give users advance notice about password requirements so they can come up with well-thought-out, memorable passwords instead of spur-of-the-moment ones. 6. Passwords used for privileged access must not be the same as those used for non-privileged access. 7. Administrator-level access to restricted data, computers or networks must be able to identify the individual performing the access, e.g. via a unique user ID/password and elevated permissions as opposed to utilizing a shared admin or root account.
8. Report potential password security compromises to the Support Center. 9. Service Providers should consider using Identity Management (IdM) Services (Shibboleth for example), for authentication to their applications. 10. Where possible and applicable, applications and systems must be configured to enforce there password complexity standards. 11. Passwords provided for initial access and password resets much be set to expire upon initial use, where feasible. 12. initial passwords must be set to expire after no more than 90 days and password resets must be set to expire after 6 to 12 hours when possible to prevent unauthorized account access. Note: This requirement is not intended to imply that passwords must expire periodically. It is, instead, intended to prevent the misuse of initial and temporary passwords. 13. Systems must be configured to prevent resubmission of previously used password within 12 months no less.
Password Strength Policy Query

Recomendados

Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based Security
Rare Input
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
Brute force attack
Brute force attackBrute force attack
Brute force attack
Jamil Ali Ahmed
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Hajer alriyami
 
Brute force attack
Brute force attackBrute force attack
Brute force attack
joycruiser
 
Password based cryptography
Password based cryptographyPassword based cryptography
Password based cryptography
Ishraq Al Fataftah
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Sagar Verma
 

Recomendados

Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based Security
Rare Input
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
Brute force attack
Brute force attackBrute force attack
Brute force attack
Jamil Ali Ahmed
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Hajer alriyami
 
Brute force attack
Brute force attackBrute force attack
Brute force attack
joycruiser
 
Password based cryptography
Password based cryptographyPassword based cryptography
Password based cryptography
Ishraq Al Fataftah
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Sagar Verma
 
Password Attack
Password AttackPassword Attack
Password Attack
Aliaqa Hosainy
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
Sina Manavi
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
أحلام انصارى
 
Password management
Password managementPassword management
Password management
PortalGuard dba PistolStar, Inc.
 
Getting authentication right
Getting authentication rightGetting authentication right
Getting authentication right
Andre N. Klingsheim
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
Yury Chemerkin
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
Patel Mit
 
Password Attack
Password Attack Password Attack
Password Attack
Sina Manavi
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hacking
Tjylen Veselyj
 
Blackhat 2014 Conference and Defcon 22
Blackhat 2014 Conference and Defcon 22 Blackhat 2014 Conference and Defcon 22
Blackhat 2014 Conference and Defcon 22
dandb-technology
 
Password Cracking using dictionary attacks
Password Cracking using dictionary attacksPassword Cracking using dictionary attacks
Password Cracking using dictionary attacks
lord
 
Password hacking
Password hackingPassword hacking
Password hacking
Abhay pal
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not Enough
nFront Security
 
PHP Security Basics
PHP Security BasicsPHP Security Basics
PHP Security Basics
John Coggeshall
 
Make Your Employees More Security Aware
Make Your Employees More Security AwareMake Your Employees More Security Aware
Make Your Employees More Security Aware
PortalGuard dba PistolStar, Inc.
 
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | EdurekaLearn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Edureka!
 
Certified Ethical Hacking (CEH V9) Course Details | EC-Council
Certified Ethical Hacking (CEH V9) Course Details | EC-CouncilCertified Ethical Hacking (CEH V9) Course Details | EC-Council
Certified Ethical Hacking (CEH V9) Course Details | EC-Council
CRAW CYBER SECURITY PVT LTD
 
Encryption by fastech
Encryption by fastechEncryption by fastech
Encryption by fastech
Abdulafeez Fasasi
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKING
NAWAZ KHAN
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crack
Klaus Drosch
 
8 passwordsecurity
8 passwordsecurity8 passwordsecurity
8 passwordsecurity
richarddxd
 

Mais conteúdo relacionado

Mais procurados

Password hacking
Password hackingPassword hacking
Password hacking
Abhay pal
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not Enough
nFront Security
 
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | EdurekaLearn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Edureka!
 

Mais procurados (20)

Password Attack
Password AttackPassword Attack
Password Attack
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
 
Password Cracking
Password Cracking Password Cracking
Password Cracking
 
Password craking techniques
Password craking techniques Password craking techniques
Password craking techniques
 
Password management
Password managementPassword management
Password management
 
Getting authentication right
Getting authentication rightGetting authentication right
Getting authentication right
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
 
Password Attack
Password Attack Password Attack
Password Attack
 
Welcome to the world of hacking
Welcome to the world of hackingWelcome to the world of hacking
Welcome to the world of hacking
 
Blackhat 2014 Conference and Defcon 22
Blackhat 2014 Conference and Defcon 22 Blackhat 2014 Conference and Defcon 22
Blackhat 2014 Conference and Defcon 22
 
Password Cracking using dictionary attacks
Password Cracking using dictionary attacksPassword Cracking using dictionary attacks
Password Cracking using dictionary attacks
 
Password hacking
Password hackingPassword hacking
Password hacking
 
The Windows Password Policy is Not Enough
The Windows Password Policy is Not EnoughThe Windows Password Policy is Not Enough
The Windows Password Policy is Not Enough
 
PHP Security Basics
PHP Security BasicsPHP Security Basics
PHP Security Basics
 
Make Your Employees More Security Aware
Make Your Employees More Security AwareMake Your Employees More Security Aware
Make Your Employees More Security Aware
 
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | EdurekaLearn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
Learn Ethical Hacking in 10 Hours | Ethical Hacking Full Course | Edureka
 
Certified Ethical Hacking (CEH V9) Course Details | EC-Council
Certified Ethical Hacking (CEH V9) Course Details | EC-CouncilCertified Ethical Hacking (CEH V9) Course Details | EC-Council
Certified Ethical Hacking (CEH V9) Course Details | EC-Council
 
Encryption by fastech
Encryption by fastechEncryption by fastech
Encryption by fastech
 
ETHICAL HACKING
ETHICAL HACKINGETHICAL HACKING
ETHICAL HACKING
 

Semelhante a Password Strength Policy Query

8 passwordsecurity
8 passwordsecurity8 passwordsecurity
8 passwordsecurity
richarddxd
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
STO STRATEGY
 
Basic Security Requirements
Basic Security RequirementsBasic Security Requirements
Basic Security Requirements
Steven Cahill
 

Semelhante a Password Strength Policy Query (20)

How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crack
 
8 passwordsecurity
8 passwordsecurity8 passwordsecurity
8 passwordsecurity
 
Password management
Password managementPassword management
Password management
 
The strategies of password
The strategies of passwordThe strategies of password
The strategies of password
 
The strategies of password
The strategies of passwordThe strategies of password
The strategies of password
 
Why is password protection a fallacy a point of view
Why is password protection a fallacy a point of viewWhy is password protection a fallacy a point of view
Why is password protection a fallacy a point of view
 
PASSWORD BEST PRACTICES
PASSWORD BEST PRACTICESPASSWORD BEST PRACTICES
PASSWORD BEST PRACTICES
 
W make107
W make107W make107
W make107
 
Best Practices for Password Creation
Best Practices for Password CreationBest Practices for Password Creation
Best Practices for Password Creation
 
5 tips for an unbreakable password
5 tips for an unbreakable password5 tips for an unbreakable password
5 tips for an unbreakable password
 
Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.Computer Privacy:Passwords-Mike B.
Computer Privacy:Passwords-Mike B.
 
Basic Security Requirements
Basic Security RequirementsBasic Security Requirements
Basic Security Requirements
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Authentication and session v4
Authentication and session v4Authentication and session v4
Authentication and session v4
 
8 Password Hygiene Tips to Protect You and Your Company
8 Password Hygiene Tips to Protect You and Your Company 8 Password Hygiene Tips to Protect You and Your Company
8 Password Hygiene Tips to Protect You and Your Company
 
World Password Management Day, 2023.pdf
World Password Management Day, 2023.pdfWorld Password Management Day, 2023.pdf
World Password Management Day, 2023.pdf
 
Heartbleed Explained & LastPass Demo
Heartbleed Explained & LastPass DemoHeartbleed Explained & LastPass Demo
Heartbleed Explained & LastPass Demo
 
Network Security
Network SecurityNetwork Security
Network Security
 
Protecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwordsProtecting your online identity - Managing your passwords
Protecting your online identity - Managing your passwords
 
Securing password
Securing passwordSecuring password
Securing password
 

Mais de Gloria Stoilova

Mais de Gloria Stoilova (10)

How to estimate in scrum
How to estimate in scrumHow to estimate in scrum
How to estimate in scrum
 
Introducing agile-software-deveopment-with-scrum
Introducing agile-software-deveopment-with-scrumIntroducing agile-software-deveopment-with-scrum
Introducing agile-software-deveopment-with-scrum
 
Agile QA and Testing process
Agile QA and Testing processAgile QA and Testing process
Agile QA and Testing process
 
Agile deveopment-with-scrum
Agile deveopment-with-scrumAgile deveopment-with-scrum
Agile deveopment-with-scrum
 
E mail communication
E mail communicationE mail communication
E mail communication
 
Communication skills
Communication skillsCommunication skills
Communication skills
 
101-Cross cultural communication
101-Cross cultural communication101-Cross cultural communication
101-Cross cultural communication
 
All hands meeting - introductory
All hands meeting - introductoryAll hands meeting - introductory
All hands meeting - introductory
 
Securing the tunnel with Raccoon
Securing the tunnel with RaccoonSecuring the tunnel with Raccoon
Securing the tunnel with Raccoon
 
How to write use cases
How to write use casesHow to write use cases
How to write use cases
 

Último

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Último (20)

HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Password Strength Policy Query

  • 1. Password Strength Policy Query General Terms and Common Definitions: Password A password is a secret word or string of characters that is used for user authentication to prove identity, or for access approval to gain access to a resource (example: an access code is a type of password). The term passcode is sometimes used when the secret information is purely numeric, such as the personal identification number (PIN) commonly used for ATM access and in our case used for authentication into the M-PIM application. Passwords are generally short enough to be easily memorized and typed. Password strength - Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly. The strength of a password is a function of length, complexity, and unpredictability.[1] Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls. The effectiveness of a password of a given strength is strongly determined by the design and implementation of the authentication system software, particularly how frequently password guesses can be tested by an attacker and how securely information on user passwords is stored and transmitted. Risks are also posed by several means of breaching computer security which are unrelated to password strength. Such means include wiretapping, phishing, keystroke logging, social engineering, dumpster diving, shoulder surfing, side-channel attacks, and software vulnerabilities. Password policy - A password policy is the guide to choosing satisfactory passwords, hard to be replayed or hacked. Although some are controversial they are usually intended to: assist users in choosing strong passwords ensure the passwords are suited to the target population recommendations to users with regard to the handling of their passwords a requirement to change any password which has been lost or compromised, and perhaps that no password be used longer than a limited time some policies prescribe the pattern of characters which passwords must contain - characters, digits, symbols, etc. For example, password expiration is often covered by password policies. Password expiration serves two purposes: if the time to crack a password is estimated to be 100 days, password expiration times fewer than 100
  • 2. days may help ensure insufficient time for an attacker. if a password has been compromised, requiring it to be changed regularly should limit the access time for the attacker Some argue that password expiration have become obsoletesince: asking users to change passwords frequently encourages simple, weak passwords. if one has a truly strong password, there is little point in changing it. Changing passwords which are already strong introduces risk that the new password may be less strong. a compromised password is likely to be used immediately by an attacker to install a backdoor, often via privilege escalation. Once this is accomplished, password changes won't prevent future attacker access. mathematically it doesn't gain much security at all. Moving from never changing one's password to changing the password on every authenticate attempt (pass or fail attempts) only doubles the number of attempts the attacker must make on average before guessing the password in a brute force attack - one gains much more security just increasing the password length by one character than changing the password on every use. I. Security Standards Passwords are very important part of computer's security. They often serve as the first line of defense in preventing unauthorized access to computers and data. Because of the crucial role of passwords it is important to choose passwords that are complex and cryptic enough to prevent others from guessing them or from cracking them with programs,rainbow table or dictionary attack. At the same time, it is also important to keep passwords secret and secure so others cannot use them or find them. These standards are intended to provide information of guidance about how to create good, cryptic passwords and how to keep them secure and confidential. Password Strength and Security Standards or II. How to create good, cryptic, hard-to-guess-or-crack passwords. The following requirements are considered as essential and are mandatory and are enforced on many business, software or other web entities (sites). 1. Passwords must be at least 8 characters in length and contain at least 3 of the following 4 types of characters: lower case letters (i.e. a-z)
  • 3. upper case letters (i.e. A-Z) numbers (i.e. 0-9) special characters (e.g. !@#$%^&*()_+|~-=‘{}[]:";’<>?,./) Passwords for systems or applications that cannot support the above standard must be longer -- at least 10 characters in length, if possible -- and incorporate the maximum complexity the system or application can support. 2. In addition, passwords must: Not be a word found in the dictionary (in any language), whether spelled forwards or backwards, or a word preceded or followed by a digit (e.g., secret1, 1secret) Not include user name or login name. Not be a common keyboard sequence, such as "qwerty89" or "abc123" Not be from examples you have seen in print, such as the ones on this page.
  • 4. III. How to keep your password secret and secure - 1. Do not share your passwords with anyone else, or in any way publish them. 2. Avoid writing passwords down. Whenever possible, change passwords to something you can easily remember. One way to do this is to create a password from a familiar phrase (see Additional Tips and Hints for more information). Once you have a good, strong, memorable password, you can come up with a system to modify it slightly for each system or application. Then you only have to remember your base password and your system. If you have to write a password down, try to write it in a way that others won't be able to decypher -- such as using a hint for part of it -- and store it securely in a safe, unlikely-to-be-discovered location, e.g., not under the keyboard or on your monitor. Passwords can also be securely stored using a variety of free and low-cost "password vault-type" encryption tools. See #5 in this section for details. 3. If you think your password may have been compromised, notify the Support (Contact, Customer. Etc.) Center and/or your supervisor. 4. Change passwords provided for initial access or password resets as soon as possible. Information for doing this should be provided with the password. If it is not, contact the person or office issuing the password for instructions. 5. Don’t let your applications or browser remember/store passwords that provide access to restricted systems or data.
  • 5. That way if someone gets access to your computer, they don’t also get access to all of your accounts. Passwords can be securely stored using a variety of free and low-cost "password vault-type" encryption tools including your computer's key-chain, LastPass, 1password, Password Wallet, PasswordSafe (PC)/( Mac), and KeePass (PC) / KeyPassX (Mac). Important notes: Master passwords providing access to these tools must meet the minimum strength and security standards stated in these Standards. For keychains, this is the password used to access the computer. Do not store passwords providing access to restricted data on service provider's websites, public computers, non-personal devices. 6. Use different passwords for accounts that provide access to restricted data than for your less-sensitive or personal accounts. For additional security, use a different password for each account that provides access to sensitive data; that way if one of your passwords is compromised, your others are still OK. 7. Ensure that passwords are transmitted securely. Before you log into something via the web, look for “https” (not http) in the URL to indicate that there is a secure connection. If this is missing, request a secure web page from the service provider that you can use to log in . Make sure that any applications you log into on your computer (such as email) are set for secure
  • 6. authentication. Additional Tip and Hints: Longer passwords are better. Avoid including personal information, names of family, places, pets, birthdays, address, hobbies, license plate number, etc. Avoid words that are slang, dialect, jargon, etc. A password consisting of several words separated by spaces can actually be more secure and easier to remember than a more complicated, obscure one. Basing your password on a phrase that is familiar to you is one way to generate a password that is memorable to you, but obscure to others. For example, "The hills are alive with the sound of music!!" is actually a pretty good password, except for the fact that that it is inconveniently long and published here. A shorter version could be, “Hills! alive! Music!” or, using a variant on the first letter of each word, "ThRawts0m!". A few memorable, unrelated words can also be a good password, such as "correct horse battery staple" or, if the system requires additional complexity, “Correct horse battery staple!” Passwords shouldn't be too common (Password1 is very common. 2bor!2b is pretty common and is also only 7 characters in length).
  • 7. Be aware that automatic "password cracker" programs check for common symbol substitutions in words, such as "0" for "o" and "$" for "s". Simply substituting common symbols for letters in a dictionary word, e.g. "Pa$$w0rd" instead of "Password," might result in a guessable password even though it technically meets the above requirements. (Passwords that are found vulnerable by automatic password strength checkers may be rejected). Microsoft's password strength checker is a handy tool to help gauge the strength of a password. examples: Weak strength password - AaSsDdG Medium strength password - cdxsza1126
  • 8. Strong strength password - St@bleDog&Hum@N IV. Additional Requirements - 1. Passwords provided as initial passwords or password resets must meet the Minimum Password Requirements. ("Changeme", "admin", "pass1", "Passw0rd" and other common passwords found in password crackers should not be used.) Passwords provided as initial passwords or password resets also must not be a fixed password or a published/easy-to-figure-out formula that, if discovered, could be used to gain unauthorized access to a system or application. Passwords provided for initial access or password resets must be unique. 2. Ensure that end users are aware of the above password strength standards when it is not possible for applications and systems to enforce them technically. 3. Ensure secure transmission and storage of passwords. 4. Instruct users to change passwords provided for initial access or password resets as soon as possible after initial use and provide instructions for doing so. Alternatively, temporary passwords can be set to expire upon initial use. 5. Give users advance notice about password requirements so they can come up with well-thought-out, memorable passwords instead of spur-of-the-moment ones. 6. Passwords used for privileged access must not be the same as those used for non-privileged access. 7. Administrator-level access to restricted data, computers or networks must be able to identify the individual performing the access, e.g. via a unique user ID/password and elevated permissions as opposed to utilizing a shared admin or root account.
  • 9. 8. Report potential password security compromises to the Support Center. 9. Service Providers should consider using Identity Management (IdM) Services (Shibboleth for example), for authentication to their applications. 10. Where possible and applicable, applications and systems must be configured to enforce there password complexity standards. 11. Passwords provided for initial access and password resets much be set to expire upon initial use, where feasible. 12. initial passwords must be set to expire after no more than 90 days and password resets must be set to expire after 6 to 12 hours when possible to prevent unauthorized account access. Note: This requirement is not intended to imply that passwords must expire periodically. It is, instead, intended to prevent the misuse of initial and temporary passwords. 13. Systems must be configured to prevent resubmission of previously used password within 12 months no less.