I intend to make sort of sections if I can… I may need a different format for the site, but for now, it looks like I’m doing this in pages. The focus will mostly be on how to protect your organization, and I would encourage people to participate in discussions, ask questions, and help answer them. If one person here doesn’t know the answer, perhaps someone out there does?
To kick things off, lets start with passwords… Mostly because I’m still tinkering with this site, and who the hell likes passwords anyway?? Even IT administrators, helpdesk techs, network admins, we’re all users also, and we rely on passwords for making sure the wrong person doesn’t get into our stuff. We should all know a thing or two about best ways to leverage passwords, but there may be some folks browsing through that still use their grandma’s name and birthday for their password. I would encourage them to read some of this. I won’t be offended if you skip ahead to the stuff you care about.
The Dreaded Password Change Day:
The 90 days has elapsed, and it’s time to change your password… What method do you use? Do you use a password manager? (please say yes…) Is this a password you need to type manually or not? (copy/paste saves so much time… but some passwords you’re kind of stuck typing)
What if this is password change day for your users? Do you trust them to come up with strong passwords, or do you suspect they’re coming up with the absolute laziest one possible to skate by for the next 3 months… When you have a penetration tester come through, I bet you would rather they have to find creative ways to break in that you need to fix and really have to work for it, making a lot of noise as alerts point you to the very switchport they’re operating from than to crack a few easy hashes and burn through in record time.
Password standards are changing, and NIST has a relatively recently published guide for authentication and all that fun stuff.
According to NIST SP 800-63b-4:
By the way, here’s a link to the document if you want to dig into it: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b-4.pdf
If you don’t want to sift through that 129-page thing, here’s some useful pieces from it, keep in mind I’m just going to cover password guidelines for now. Sort of TLDR, with my thoughts/notes, not really quoted… more partial quotes/paraphrased. Also, note that these are not requirements for every organization to follow, but password settings should be changed to comply with these guidelines.
In my opinion, people should adopt these in your regular password habits. You can find this info beginning on page 14 in the NIST document:
- 15 character minimum
- Formerly 8 characters, which with the most complexity settings applied would only hold back an attacker for a few minutes…
- 15 characters adds exponentially more time
- At least 64 character maximum
- While most passwords might never be this long, it’s a nice option to have if you need a good password for a service or something
- The longer it is, the harder it’ll be to crack, that being said if your network isn’t secure and things aren’t encrypted, length doesn’t matter at that point
- Any password can be compromised if not secured… Like Gandalf said: “keep it secret… keep it safe…”
- ASCII characters and space character should be accepted
- If you didn’t know, the space character has a value, and you can confirm that by calculating the hash of a text file with the word “Hello!” then adding a space after it and compare the hashes. It’s pretty neat, just a single space will alter the hash
- Unicode characters should be accepted also, each one counting as a single character
- Composition rules should not be imposed
- Referring to mixtures of different character types
- What I sort of got from this is they’re encouraging human-typable passwords, urging length over complexity
- Referring to mixtures of different character types
- Password rotations should no longer be required, however password changes should be forced if an a method of authentication is suspected to be compromised
- Removing of the expiration of passwords makes it so you can create longer passwords, remembering them easier because you’re not having to rotate it
- No hints should be stored to remind the user what their password is, especially if it’s accessible to an unauthenticated party
- “Security questions” should not be a thing anymore either
- What was your first pet’s name? Where did you graduate? Where were you born? All the details you can glean from someone’s social media, especially if they ever participated in those “surveys” that people would pass around, all those answers were likely added to a database of stuff to use to brute force these questions and reset a password.
- Entire password should be provided in full, not a piece of it, and verified.
- This sounds like there are, or used to be, some services out there that would let you in if you only knew part of someone’s password… Yikes…
There’s more stuff in there about input requirements, making sure certain characters are not accepted if they can be used to break the password field and enable things like SQL Injection attacks, and so on… If you’re patching databases or programming things, then you might want to know more of that document.
Easier, longer-lasting passwords?
Essentially, I would say that is about what it sounds like. They’re paving the way for normalizing something more akin to pass-sentences or pass-phrases, rather than the traditional pass-word. I’ve found if I use several words strung together in a way that you might giggle a little typing, it really helps for making a good password that’s easy to memorize. Just make sure it’s not something that would get HR after you if you mistakenly type it in the username field and submit it…
Fun fact, if you’re here reading this and not a system admin or something IT-ish: when you login to something, the password field is, or should be, not viewable in any logs. That stuff should be encrypted and I don’t want to, nor do I need to know, your password. There are very, VERY few exceptions where I might work with someone and need to know their password, but I highly prefer them to be present and type it themselves. Also, if I do stumble on your password, I’ll have you change it. Passwords typed into a username instead? Those are now plaintext in the logs…if you ever mistakenly send your password in the username field, change it asap.
MFA!!!
Passwords are one form, but having more than one option each of the “what you know, what you have, what you are” things to login with will add a good layer of difficulty helping reduce the chances someone will get into your stuff.
If you’re an IT person in here, you should turn some MFA option on with all the things wherever you can. Some are super easy and built into the functionality of the system and once enabled, it will just walk your users through next time they login. Others require a third party identity provider and some additional setup, possibly a license fee per user, so you may need to convince the right people to pay for that extra protection. A few dollars per user is a lot less expensive than compromised network, lost or stolen data.
The different types of MFA options out there have varying degrees of security they provide. If you have the choice though, pick the strongest method you can setup.
Ok, I’ll stop blabbing now…
Finishing off this page, I hope it did not come off too wordy. I know I have a bad habit of that, but I’m working on it. If this was useful information though, let me know what you think. I’m sure there’s people out there that would love some password tips. Password change day approaches and you start considering new passwords with a blank brain, but because it’s approaching, your mind immediately goes to “how can I keep using what I’m using, but make it not exactly and easy to remember?” This, right here, is why I’m glad password changes are hopefully phasing out soon, because changing them frequently causes lazy passwords.
Anyhow, if you didn’t find this useful, check back in once in awhile and I’ll try to have some other stuff in here. Since brewing is also one of the topics I want to cover on this site, I’ll get something on that front rolling soon. If you made it this far, I like drip coffee with 2 shots of espresso…
Oh neat, I can schedule things to publish? I will need to play with that feature… this one’s going up now though, so here goes…