Password Security Practices
This article is based on the translation of Password security Guidance by National Cyber Security Centre of Canada (hereinafter referred to as CFCS), this guide contains key points related to passwords in a very compact and understandable manner.
General recommendations
Below is a list of general guidelines for password selection and password policies. Please note that this list is not exhaustive, as each organization will likely have unique security needs.
Selecting a password
• Use multi-factor authentication on all corporate systems accessible from the Internet. Better yet, use multi-factor authentication wherever available.
• Use a password manager to store and generate passwords.
• Use passwords that are at least 15 characters long.
• Avoid reusing passwords.
Password Policy
• Avoid overly complex password requirements – choose the right one
password length.
• Change passwords if there are any signs or suspicions of compromise.
• Use single sign-on (SSO) to make it easier for users to access your organization's systems.
• Use multi-factor authentication for all remote access solutions (e.g. VPN) and privileged accounts.
• Create a blacklist of frequently used passwords so that users
couldn't use them.
• Implement password security best practices and regular employee awareness training on password use.
Problems related to passwords
Strong passwords are complex and typically require a combination of uppercase and lowercase letters, numbers, and special characters. Additionally, organizations often set minimum password length guidelines, and in some cases, regular password changes may be required.
Many users struggle to cope with password requirements, especially when they have to remember multiple complex passwords. This often leads to users using workarounds and insecure alternatives, including reusing the same passwords across different systems, using simple and predictable password creation methods, and storing passwords in insecure locations.
Attackers use tactics such as brute force, rainbow tables, dictionary attacks (a file called rockyou2024 was discovered on a hacker forum in July 2024, containing 9,948,575,739 unique passwords), password spraying, and other types of attacks.
Common Methods of Creating Unwanted Passwords
When creating new passwords, most users choose the simplest possible password that meets corporate security requirements. For example:
• If the minimum password length is set to 8 characters, users will often create passwords that are less than 8 characters long.
• If a password must contain capital letters, then capitalizing the first letter is common practice.
• If a password requires numbers, users often use numbers
at the end of the password. Quite often there are numbers from 0 to 99 or numbers,
indicating the user's year of birth. Replacing letters with similar numbers is also a common practice, for example, replacing the letter “e” with the number “3” or the letter “o” with the number “0”, etc.
• If a password must contain special characters, users often include only one character. Some special characters seem to be more popular than others, such as ”@” and ”!”.
• If regular password changes are required, many users will choose cyclical words such as seasons, quarters, months, etc.
• Some words and numbers are very popular and therefore widely used in
passwords. The most commonly used passwords are ”123456”, ”password” and
letters typed in sequence on a keyboard, such as “qwerty”.
• The password often coincides with the user's first or last name or part of it.
• The password contains names of family members, friends, pets, etc.
• Due to the mandatory periodic password changes, users often make small changes to old passwords rather than creating completely new ones.
Password strength
If an organization has requirements for password complexity, this leads to the assumption that the organization's passwords are secure, but this is not necessarily the case. For example, if the minimum password length is fifteen characters with a mix of uppercase and lowercase letters, numbers, and special characters, a compliant password might look like this:
Password123456!
Frequently used passwords
As in the example above, where a password cannot be considered secure despite meeting formal requirements, many users unintentionally choose a simple password that hackers can easily crack. Lists of commonly used passwords are readily available on the Internet and can be used against one or more logins.
Using leaked passwords
When websites or other online resources are subject to data breaches, usernames and passwords become available online and are quickly added to the attackers' list of leaked passwords worth trying.
website https://haveibeenpwned.com allows users to check if their login credentials or accounts are from their domain
compromised in a data breach. You should never check valid passwords.
What makes a strong password?
It is difficult to give specific advice on how to create passwords that can withstand every situation and threat. Therefore, it is important to conduct a risk assessment to determine which set of security measures provides the right balance between security controls and convenience, depending on the sensitivity of the asset the password protects.
If single sign-on is used to provide access to multiple systems, security requirements should be based on the most critical of the systems. Systems connected to the Internet are often more vulnerable to attack than internal systems not connected to the Internet.
Passwords and passphrases
There are many recommendations for choosing a password. Regardless of the method chosen, it is important that passwords remain confidential. It is also important to choose an appropriate password length, ideally at least 15 characters, especially if multi-factor authentication is not enabled.
Example password Use the first letter of each word in a sentence, for example: Janpenvnre-dis “I ne protiv eto eat nA Vbicycle nA rwork, esli No drain Andli With“nega” Another way is to select the song title and combine it with the artist name and characters/numbers: Abbey Road1969The Beatles |
If you use a password manager that eliminates the need for you to remember all your unique passwords (such as bitwarden or LastPass), it is still recommended to use complex and long passwords. Such passwords can often be generated by the password manager itself.
Another approach is to create a passphrase consisting of a random string of easy-to-remember words that add length to the password. If a combination of common words is used, it is important to increase the minimum password length to 20 characters.
Access without password
Because passwords can be difficult to remember, easy to guess, frequently reused, and have been implicated in data breaches, there have been efforts in international forums to find alternatives to passwords.
An example is the standard FIDO2providing easy and secure access to websites or operating systems by using public/private key pairs instead of passwords. Authentication based on the FIDO2 standard not only solves many of the problems associated with the traditional use of passwords, but is also easy for the user to manage.
Passwordless access to, for example, an online service requires a user account and the generation of a unique public/private key pair. First, the user must select an authenticator supported by the identity provider (e.g., a mobile phone or USB hardware key). The user opens the selected authenticator using a fingerprint, hardware key, or PIN, after which a unique key pair is generated. This key pair is uniquely tied to the authenticator, the user account, and the identity provider. The public key is sent to the identity provider to be stored for later verification.
When the user later accesses the online service and enters their username, the identity provider sends a long string of random numbers to the user's device. All the user has to do is open the authenticator, just as they did during the registration phase (e.g. using a fingerprint). The device then finds the corresponding private key, encrypts the number with the key, and sends the result back to the identity provider. The identity provider verifies the received number with the public key stored for the user, confirming that the user has access to their private key. If the verification is successful, the user is granted access to the online service.
During the FIDO2 authentication process, no passwords are sent over the Internet, nor are any passwords or other sensitive information stored on the online service. Thus, the FIDO2 authentication process eliminates many of the risks associated with the traditional use of passwords, while still allowing the user to easily access the service.
CFCS Recommendations
• The minimum password length must be 15 characters.
• if the use of password phrases is possible, key phrases of 5 words with a total length of at least 20 characters should be used.
• Passwords should never contain information that can be linked to a user or organization, such as brands.
• passwords should not be reused.
Multi-factor authentication
Today, most systems offer multi-factor authentication, one of the most effective security measures to improve login security. If multi-factor authentication is implemented, password strength requirements can be reduced, both in terms of length and complexity.
Multi-factor authentication is an authentication method in which a user is granted access after entering their login along with two or three of the following
authentication factors:
• Something the user knows (PIN or password).
• Something that the user has (key card or USB keys).
• user biometric data (facial or fingerprint recognition.
Most often, multi-factor authentication requires a combination of verification factors, such as a password (something the user knows) and a mobile phone (something the user has) to access a device or service.
Multi-factor authentication is already widely used, often in connection with remote access or online banking services. Because multi-factor authentication provides very strong login security, implementation is recommended wherever possible, and at least in systems that require a high level of security. If, for example, an account can be used to reset forgotten passwords to other accounts, it should be protected with multi-factor authentication.
There are several different methods available for multi-factor authentication, including mobile apps that generate one-time codes or require confirmation on login attempts, user biometrics such as fingerprints or facial recognition, and USB keys (the latter is also an option due to passwordless access).
Multi-factor authentication based on codes delivered via SMS is considered less secure than other methods and should be avoided. If for some reason this is the only approach available, it is better than relying on passwords alone.
Remote user access
Multi-factor authentication should always be used for remote user access. A remote user often accesses an organization's networks from less secure remote locations, such as their own home network, hotel rooms, or coffee shops. These locations may not have security measures in place, and thus passwords may be more vulnerable to compromise.
CFCS Recommendations
• Multi-factor authentication should be implemented wherever possible.
• Multi-factor authentication should always be used to access privileged accounts.
• Multi-factor authentication should always be used for remote access to internal systems
User awareness and training
It is important that users of an organization understand the internal password policy and follow the rules for using and creating passwords, regardless of the strength of the password. In addition, users should be aware of hacker attack methods. Users should know what warning signs to look for and how to respond if they are contacted by people posing as, for example, IT colleagues asking to verify or reset their password, or if they receive unexpected or suspicious-looking emails.
Management is responsible for raising awareness of the organization's cybersecurity culture among users and, as a result, keeping them informed of any new attack methods. Security awareness training should be provided to cover password strength and general security best practices.
CFCS Recommendations
• Management should plan and implement password policy training to increase awareness among the organization's users.
Change all default passwords
IT hardware and software often come with default system accounts and passwords set by the manufacturer. Hackers are well aware of this, and therefore passwords should always be changed before deploying vendor-supplied hardware and software.
Default passwords can act as entry points for hackers to access IT
systems and therefore to business-critical information. Default passwords and logins can be found on the Internet, and if they have not been changed, hackers will often have little difficulty gaining access. A key area to consider is having a procedure in place to change default passwords, such as those for routers, printers, log-in servers, and
NGFW to ensure they have been modified before activation.
To ensure that organizations do not use vendor-supplied devices with default passwords when deploying hardware or software, it is important that access to hardware and software is regularly audited.
CFCS Recommendations
• Default passwords should be changed as a standard procedure when deploying hardware or software.
Focus on Privileged Accounts
Some accounts require more protection than others. Compromise of administrator, service, and remote user accounts carries a high risk of unauthorized access to sensitive information, making additional protection of such accounts a priority. Therefore, access to such accounts should be protected with multi-factor authentication along with longer and more complex passwords.
Administrator rights
Regular users generally do not need advanced rights to IT systems and
infrastructure. User rights should always be allocated based on production needs.
The role of a system administrator includes tasks that provide access to critical system infrastructure, maintain internal IT systems, etc. As a result, administrative accounts are prime targets for many hackers. Access to administrator accounts should be protected using
multi-factor authentication. If for some reason this is not possible, longer and more complex passwords should be used. Administrator accounts should only be used for tasks that require advanced privileges.
To perform everyday tasks such as managing email and accessing the Internet, employees with the Administrator role should use an unprivileged, non-administrator account.
Administrative accounts should be personal, and the password should be known only to the administrator who owns the account. When employees with administrative rights are dismissed, their privileged accounts should be closed immediately, and passwords to all service accounts known to them should be deleted.
accounts are changed. On some privileged account management platforms, this process can be automated or avoided entirely by using one-time passwords for administrative tasks.
Privilege Management
To provide better visibility into an organization's privileged accounts, you can use a privileged access management (PAM) system, such as Teleport). PAM solutions are designed to manage, monitor, and protect privileged rights and can be used to centralize and optimize privileged account management.
CFCS Recommendations
• Administrative accounts should be used only for actions that require administrative privileges.
• Privileged accounts must be protected with multi-factor authentication.
• A fixed and documented process should be used to terminate privileged access for departing administrators.
Monitoring account lockouts and logins
An organization should take every step to make it as difficult as possible for hackers to penetrate IT systems that contain business-critical information. The following solutions can be taken to protect against several different types of hacker attacks.
Account Blocking
Account locking can be a way to prevent hackers from using online attacks to crack passwords and penetrate internal IT systems. A user account is locked once a user or attacker exceeds a pre-defined threshold of login attempts, preventing hackers from using dictionary or brute force attacks.
Therefore, an organization should prepare an account lockout policy that defines the acceptable number of failed login attempts. An unexpectedly high number of login attempts on an account may indicate malicious activity.
The policy should define the number of minutes that must pass after a failed login attempt before the failed login counter is reset. It makes a significant difference whether a hacker is allowed to perform the maximum number of failed login attempts every half hour or only
once a day until the account is blocked.
It is also important to ensure that the policy specifies how to unlock locked accounts. This is problematic if a user can simply call support and request that their account be unlocked and a new temporary password be provided immediately over the phone. In such cases, a hacker could impersonate the user and gain access to the account. A potential solution to this particular problem would be to assign the user a temporary one-time password through a colleague or reset the password using an existing multi-factor authentication method.
You should avoid using security questions like “What is my name?”
father?” to unlock your account yourself, as this approach carries the risk that hackers can easily figure out the answer to such questions using social engineering tactics and open sources such as social media.
Delay new login attempts
Another method is the so-called regulation or delay new login attempts. With this method, the account is not locked, but for each failed login attempt – or after a certain number of failed login attempts – a time delay is set before a new login attempt is allowed. This delay can increase exponentially with each failed login attempt.
Notifying the user about logging in
If a user logs in from a device unknown to the system, a login notification sent to the user, such as via email or text message, can help increase the chances of detecting an account compromise, allowing for prompt action.
Monitoring and logging system logins
To combat potential security breaches, it is recommended that an organization monitor login attempts. Monitoring is often done automatically using software that alerts relevant personnel if, for example, the number of login attempts deviates from the normal rate. The monitoring tool’s warning threshold can be set to reflect the criticality or sensitivity of the system in question. CFCS often encounters organizations that have been the target of cyber-attacks, only to find that key event log files from the affected IT systems are no longer available for analysis of the attack. Logging security events across an organization’s infrastructure is essential to detecting and effectively addressing the impact of cyber-attacks.
CFCS Recommendations
• account lock or login delay should be used.
• The organization must adhere to a fixed process for unlocking locked accounts.
• login attempts must be logged and logins tracked.
Secure Handling of Passwords in Systems
Organizations must ensure that confidentiality is maintained during the use, transmission, and storage of passwords.
Using passwords
Login pages on systems used by the organization must allow copying
passwords in the password field, making it easier to use password managers. It is also recommended that when choosing a password, users be notified if the chosen password is frequently used or known from previous leaks.
Organizations should make every effort to implement multi-factor authentication in their existing systems and take advantage of the ability to support FIDO2 passwordless authentication when implementing new systems.
Transferring passwords
It is recommended to use an encrypted communication channel whenever a password is entered or otherwise exchanged between devices/systems over the network.
Password storage
Passwords should not be stored in plain text in text files. If a password database is compromised, it is important that the data is stored securely so that hackers cannot use the information directly.
Unlike encryption, converting passwords to hash values is a one-way mechanism. Hashing requires standard implementations of proven hash functions designed specifically for passwords.
As an additional layer of security, a unique value, called a “salt,” is added to each password before it is hashed. This method ensures that even if the passwords are identical, the resulting stored value is unique, protecting against rainbow table attacks.
If the system supports passwordless access via the FIDO2 standard, the need for secure storage of passwords is obviously reduced.
CFCS Recommendations
• user interfaces should allow the use of password managers.
• User interfaces should be designed to help users choose secure passwords.
• A password blacklist should be created to prevent the use of frequently used passwords.
• all transmission of passwords must be done over encrypted connections.
• Only hashed values based on unique salts should be stored. Hashing should be performed using standard implementations of proven password hashing functions.
Welcome to our TG @defhubcommunity, there is a lot of interesting and useful information about cybersecurity.
