password guidance - simplifying your approach

7/24/2019 Password Guidance - Simplifying Your Approach

1/13

Simplifying Your Approach

Password

Guidance


2/13

Page 2 Password Guidance Simplifying Your Approach

Contents

Foreword .............................................................................................................................................3

Introduction: the problems with passwords ....................................................................................4

Tip 1: Change all default passwords..................................................................................................5

Tip 2: Help users cope with password overload ..............................................................................6

Tip 3: Understand the limitations of user-generated passwords...................................................7

Tip 4: Understand the limitations of machine-generated passwords ...........................................8

Tip 5: Prioritise administrator and remote user accounts ..............................................................9

Tip 6: Use account lockout and protective monitoring .................................................................1

Tip 7: Dont store passwords as plain text ......................................................................................11

Infographic summary .......................................................................................................................12


3/13

Password Guidance Simplifying Your ApproachPage 3

By simplifying yourorganisations approachtopasswords, you can reducethe workload on users,lessen the support burdenon IT departments, and

combat the false sense ofsecurity that unnecessarilycomplex passwords canencourage.

Foreword

Passwords are an essential part of modern life. Every day we provide passwords asauthentication to systems and services, both in the workplace and at home. A recentsurvey reported that UK citizens each had an average of 22 online passwords

1, far

more than most people can easily remember.

Password guidance - including previous CESG guidance - hasencouraged system owners to adopt the approach that complexpasswords are stronger. The abundance of sites and services thatrequire passwords means users have to follow an impossible set ofpassword rules in order to stay secure.

Worse still, the rules - even if followed - don't necessarily make

your system more secure. Complex passwords do not usuallyfrustrate attackers, yet they make daily life much harder for users.They create cost, cause delays, and may force users to adoptworkarounds or non-secure alternatives that increase risk.

Password Guidance: Simplifying Your Approach

contains advice forsystem owners responsible for determining password policy. It is not intended to protect high valueindividuals using public services. It advocates a dramatic simplification of the current approach at a systemlevel, rather than asking usersto recall unnecessarily complicated passwords.

More specifically, this document will help you to:

examine and (if necessary) challenge existing corporate password policies, and argue for a morerealistic approach

understand the decisions to be made when determining password policy

implement strategies that lessen the workload that complex passwords impose on users

make your system more secure by suggesting a number of practical steps you can implement

Every single user in the UK public sector has at least one (and most likely considerably more) work-relatedpassword. By simplifying your organisation's approach, you can reduce the workload on users, lessen thesupport burden on IT departments, and combat the false sense of security that unnecessarily complexpasswords can encourage.

Ciaran Martin

DirectorGeneralforCyberSecurity,GCHQ

1www.bbc.co.uk/news/business-20726008


4/13


Introduction: the problems with passwords

The death of the password was predicted some ten years ago. It was assumed thatalternative authentication methods would be adopted to control access to ITinfrastructure, data, and user material. But since then, password use has only risen.

This increase in password use is mostly due to thesurge of online services, including those providedby government and the wider public sector.Passwords are an easily-implemented, low-costsecurity measure, with obvious attractions formanagers within enterprise systems. However,this proliferation of password use, andincreasingly complex password requirements,places an unrealistic demand on most users.

Inevitably, users will devise their own copingmechanisms to cope with password overload.This includes writing down passwords, re-usingthe same password across different systems, orusing simple and predictable password creationstrategies. A study within a Scottish NHS trustfound that 63% of its users admitted to re-usingpasswords.

2

How are passwords discovered?

Attackers use a variety of techniques to discoverpasswords. Many of these techniques are freelyavailable and documented on the Internet, anduse powerful, automated tools.

2Blaming Noncompliance Is Too Convenient: What Really

Causes Information Breaches, Security & Privacy, IEEE(Volume: 10, Issue; 3)

Approaches to discovering passwords include:

social engineering eg phishing; coercion

manual password guessing, perhaps usingpersonal information cribs such as name,

date of birth, or pet names

intercepting a password as it istransmitted over a network

shoulder surfing, observing someonetyping in their password at their desk

installing a keylogger to interceptpasswords when they are entered into adevice

searching an enterprises IT infrastructurefor electronically stored passwordinformation

brute-force attacks; the automatedguessing of large numbers of passwordsuntil the correct one is found

finding passwords which have beenstored insecurely, such as handwritten onpaper and hidden close to a device

compromising databases containing largenumbers of user passwords, then usingthis information to attack other systemswhere users have re-used thesepasswords

About this document

The remaining sections in this document comprise

7 tips that summarise the key areas to considerwhen defining password policy. Each section alsocontains practical steps you can implement tooptimise system security.


5/13


Tip 1: Change all default passwords

Factory-set default passwords being left unchanged is one of the most commonpassword mistakes that organisations make.

By leaving default credentials in place, networkingand crucial infrastructure is reachable online. In2012, the Carna Internet Census found several

hundred thousand unprotected devices on theInternet. The Carna botnet commandeered thesedevices with default passwords to create atemporary research botnet

3.

All default vendor-supplied passwords that come

with any system or software should be changedbefore deployment. Pay particular attention toessential infrastructure devices such as routers,wireless access points, and firewalls.

Vendors can help here by documenting all defaultpasswords, and listing how to change them.

3http://internetcensus2012.bitbucket.org/paper.html

In summary

Change all default passwords beforedeployment.

Carry out a regular check of systemdevices and software, specifically to lookfor unchanged default passwords.

Prioritise essential infrastructure devices.


6/13


Tip 2: Help users cope with passwordoverload

Users are generally told to remember passwords, and to not share them, re-usethem, or write them down. But the typical user has dozens of passwords toremembernot just yours.

An important way to minimise the passwordburden is to only implement passwords when theyare really needed. Systems and services with nosecurity requirements should be free frompassword control. Technical solutions (such assingle sign-on and password synchronisation) canalso reduce the burden on staff. These may incuradditional costs, but this is outweighed by thebenefits they bring to the whole system security.

You should also provide appropriate facilities tostore recorded passwords, with protectionappropriate to the sensitivity of the informationbeing secured. Storage could be physical (forexample secure cabinets) or technical (such aspassword management software), or acombination of both. The important thing is thatyour organisation provides a sanctioned

mechanismto help users manage passwords, asthis will deter users from adopting insecurehiddenmethods to manage password overload.

Password management software

Software password managers can help users bygenerating, storing and even inputting passwordswhen required. However, like any piece ofsecurity software, they are not impregnable andare an attractive target for attackers.

Changing passwords

Most administrators will force users to changetheir password at regular intervals, typically every30, 60 or 90 days. This imposes burdens on theuser (who is likely to choose new passwords thatare only minor variations of the old) and carriesno real benefits as stolen passwords are generallyexploited immediately. Long-term illicit use ofcompromised passwords is better combated by:

monitoring logins to detect unusual use

notifying users with details of attemptedlogins, successful or unsuccessful; they

should report any for which they were notresponsible

Regular password changing harms ratherthan improves security, so avoid placingthis burden on users. However, users mustchange their passwords on indication orsuspicion of compromise.

Sharing passwords

You should never allow password sharingbetween users. Sharing accounts, or evenoccasional use by anyone other than the accountholder, negates the benefit of authenticating aspecific user. In particular, the ability to audit andmonitor a specific users actions is lost.

Where password sharing is currently in use (forexample, where emergency access is required toaccess patient medical records in A&E/critical careunits), you should consider alternate accesscontrol mechanisms such as the presentation of ahardware token, such as an RFID badge.

In summary

Users have a whole suite of passwords tomanage, not just yours.

Only use passwords where they are reallyneeded.

Use technical solutions to reduce theburden on users.

Allow users to securely record and storetheir passwords.

Only ask users to change their passwordson indication or suspicion of compromise.

Allow users to reset passwords easily,quickly and cheaply.

Do not allow password sharing.

Password management software can helpusers, but carries risks.


7/13


Tip 3: Understand the limitations of user-

generated passwords

User-generated password schemes are more commonly used than machine-generatedones, due to being simpler, cheaper and quicker to implement. However, user-generated password schemes carry risks that machine-generated schemes do not.

Studies of user-generated password schemeshave shown that they encourage insecurebehaviours. These include using the mostcommon passwords, re-using the same password

over multiple systems, and adopting predictablepassword generation strategies (such as replacingthe letter o with a zero).

Attackers are familiar with these strategies anduse this knowledge to optimise their attacks. Mostdictionaries for brute-force attacks will prioritisefrequently used words and charactersubstitutions. This means that systems with user-generated passwords will normally contain a largenumber of weak passwords that will quickly fall toan automated guessing attack.

Technical controls vs complex

passwords

Traditionally, organisations impose rules on thelength and complexity of passwords. However,people then tend to use predictable strategies togenerate passwords, so the security benefit ismarginal while the user burden is high.

The use of technical controls to defendagainst automated guessing attacks is farmore effective than relying on users to

generate (and remember) complexpasswords.

For this reason, enforcing the requirement forcomplex character sets in passwords is notrecommended. Instead, concentrate efforts ontechnical controls, especially:

defending against automated guessingattacks by either using account lockout,throttling, or protective monitoring (asdescribed in Tip 6)

blacklisting the most common password

choices

Similarly, given the infeasibility of memorisingmultiple passwords, many are likely to be re-used.Users should only do this where the compromiseof one password does not result in the

compromise of more valuable data protected bythe same password on a different system. Onegolden rule is users should never use the samepassword for both home and work.

Reinforce password policy with staff training thathelps users to avoid creating passwords that areeasy-to-guess. Training can advise that passwordsshould avoid personal information (names, dates,sports teams, etc.), simple dictionary words orpredictable keyboard sequences.

Password strength meters

Password strength meters aim to help usersassess the strength of their self-generatedpasswords. They may steer users away from theweakest passwords, but often fail to account forthe factors that can make passwords weak (suchas using personal information, and repeatingcharacters or common character strings).

In summary

Put technical defences in place so thatsimpler password policies can be used.

Reinforce policies with good user training.Steer users away from choosingpredictable passwords, and prohibit themost common ones by blacklisting.

Tell users that work passwords protectimportant assets; they should never re-use passwords between work and home.

Be aware of the limitations of passwordstrength meters.


8/13

Page 8 Password GuidanceSimplifying Your Approach

Tip 4: Understand the limitations of machine-

generated passwordsMachine-generated passwords eliminate those passwords that would be simple for anattacker to guess. They require little effort from the user to create, and, depending onthe generation scheme, can produce passwords that are fairly easy to remember.

The main advantage of machine-generatedschemes is that they eliminate those passwordsthat would be simple for an attacker to guess.They also deliver a known level of randomness soits possible to calculate the time it would take to

crack the password using a brute-force attack.

Compared to user-generated schemes, there is noneed to use blacklisting, and user training shouldbe simpler. They also require little effort from theuser for password creation.

Some machine generation schemes can producepasswords which are very difficult for people toremember. This increases both the demand onhelpdesk for resets, and also the likelihood ofinsecure storage. They are not recommended.

Instead, use a generation scheme designed forhigh memorability (such as passphrases, 4 randomdictionary words or CVC-CVC-CVC

4style

passwords). Ideally, you should give users achoice of passwords, so they can select the onethey find the most memorable.

4Consonant-vowel-consonant constructions

Technical controls

Technical controls such as account lockout,throttling or protective monitoring are stillrelevant when using machine-generated

passwords.

In summary

Choose a scheme that producespasswords that are easier to remember.

Offer a choice of passwords, so users canselect one they find memorable.

As with user-generated passwords, tellusers that work passwords protectimportant assets; they should never re-use passwords between work and home.


9/13


Tip 5: Prioritise administrator and remote useraccounts

Administrator accounts have highly privileged access to systems and services.Compromise of these accounts is a threat to the wider system, and thereforeespecially attractive to attackers.

Ensure that robust measures are in place toprotect administrator accounts. Administratoraccounts should not be used for high risk or day-to-day user activities, such as accessing externalemail or browsing the Internet. Administratorsshould also have standard user accounts fornormal business use (with different passwords).

Remote users

Remote users who require remote login access,which can include the use of VPNs, email/webmailand other forms of access to internal systems,should be required to provide extra evidence(such as a token). This can form part of your twofactor authentication policy for all remoteaccounts.

In summary

Give administrators, remote users andmobile devices extra protection.

Administrators must use differentpasswords for their administrative andnon-administrative accounts.

Do not routinely grant administratorprivileges to standard users.

Consider implementing two factorauthentication for all remote accounts.

Make sure that absolutely no defaultadministrator passwords are used.


10/13


Tip 6: Use account lockout and protectivemonitoring

Account lockout, throttling, and protective monitoring are powerful defences againstbrute-force attacks on enterprise systems and online services.

Password systems can be configured so that auser only has a limited number of attempts toenter their password before their account islocked out. Or, the system can add a time delaybetween successive login attempts - a techniqueknown as throttling.

Account lockout is simpler to implement thanthrottling, but can have a detrimental impact onthe user experience. Account lockout alsoprovides an attacker with an easy way to launch adenial of service attack, particularly for large scaleonline systems.

If using lockout, we recommend you allow around10 login attempts before the account is frozen.This gives a good balance between security andusability

5.

Protective monitoring

The burden of locking out legitimate useraccounts can be relaxed if other approaches todetecting and preventing the misuse of accountsare considered. For example, you can useprotective monitoring to detect and alert tomalicious or abnormal behaviour, such asautomated attempts to guess or brute-forceaccount passwords.

5Ten strikes and youre out: increasing the number of login

attempts can improve password usability,Brostoff andSasse, CHI Workshop 2003

Password blacklisting

For user generated password schemes, a helpfuldefence is to employ a password blacklist todisallow the most common password choices. Thisworks well in combination with other defences byreducing the chance that a small number of

guesses will break a password.

Outsourcing and the use of third

parties

When services are outsourced, you shouldprovide the third party with instructions thatclearly describe the measures they should take toprotect the credentials used to access systems ordata relating to the issuing organisation. Thisshould form part of the contractual agreement.

In summary

Account lockout and throttling areeffective methods of defending brute-force attacks.

Allow users around 10 login attemptsbefore locking out accounts.

Password blacklisting works well incombination with lockout or throttling.

Protective monitoring is also a powerfuldefence against brute-force attacks, andoffers a good alternative to account

lockout or throttling.

When outsourcing, contractualagreements should stipulate how usercredentials are protected.


11/13


Tip 7: Dont store passwords as plain text

Passwords should never be stored as plain text, even if the information on the

protected system is relatively unimportant. This section gives advice for systemdevelopers and engineers, and will help security practitioners select products thatprovide more secure methods of password storage and processing.

Weve read how users re-use passwords andemploy predictable password creation strategies.This means an attacker who gains access to adatabase containing plain text passwords alreadyknows a users credentials for one system. Theycan use this information to attempt to accessmore important accounts, where further damagecan be done.

Periodically search systems for passwordinformation that is stored in plain text. Considerestablishing automated processes that (forexample) regularly search for clear text emails anddocuments containing the word password in thefilename or body.

If you need to provide access to clear textpasswords (such as when a selection of charactersare requested during a login), use an alternativemethod of protection (for example, on-demanddecryption).

Hashing and salting

Hashing is a one-way cryptographic functionwhich converts a plain text password into a hash.An attacker who has accessed a databasecontaining password hashes will not know theactual passwords.

However, attackers can still use brute-forceattacks and rainbow tables (pre-computed tablesfor reversing cryptographic hash functions) toretrieve passwords from stolen hashes. For thisreason, a salt should be added to the passwordbefore hashing.

In summary

Never store passwords as plain text.

Produce hashed representations ofpasswords using a unique salt for eachaccount.

Store passwords in a hashed format,produced using a cryptographic functioncapable of multiple iterations (such asSHA 256).

Ensure you protect files containingencrypted or hashed passwords fromunauthorised system or user access.

When implementing password solutionsuse public standards, such as PBKDF2,which use multiple iterated hashes.


12/13


Infographic summary


13/13


Disclaimer

This document has been produced jointly by GCHQ and CPNI. It is not intended to be an exhaustive guide topotential cyber threats, is not tailored to individual needs and is not a replacement for specialist advice.Users should ensure they take appropriate specialist advice where necessary.

This document is provided without any warranty or representation of any kind whether express or implied.The government departments involved in the production of this document cannot therefore accept anyliability whatsoever for any loss or damage suffered or costs incurred by any person arising from the use ofthis document.

Findings and recommendations in this document have not been provided with the intention of avoiding allrisks and following the recommendations will not remove all such risks. Ownership of information risksremains with the relevant system owner at all times.

Crown Copyright 2015

password guidance - simplifying your approach

Documents