Password Security

(OBJ 4.6)

Password Security

• Measures the effectiveness of a password in resisting guessing and brute-force attacks
• Estimates the number of attempts needed to guess a password correctly

Group Policy Editor for Password Policies

• Used to create password policies in Windows
• Available for local machines, and global policy orchestrator can be used in domain environments
• How to configure Group Policy Editor on Windows
  • Search "gpedit" int he search bar at the bottom
  • In the "Computer Configuratio" setting at the top, then click on the Windows Settings folder
  • Go to the "Security Settings"
  • Go to "Account Policies"
  • And then "Password Policy"
  • Now you will see several different settings that relate to the 5 characteristics that you need to consider when managing your organization's password policies

Five Characteristics of Password Policies

• Password Length
  • Longer passwords are harder to crack
  • Strong passwords should be at least 12 to 16 characters
  • Longer passwords increase security exponentially
    • More characters exponentially increase password security
    • Example:
      • 4-digit PIN = 10,000 possible combinations
        (10 x 10 x 10 x 10 = ${10}^4$ = 10,000 choices)
      • 5-digit PIN = ${10}^5$ or 100,000 possible combinations
      • 8-digit PIN = ${10}^8$ or 100,000,000 possible combinations
  • Slows down the ability to compromise your password
    • https://www.passwordmonster.com/
• Password Complexity
  • Combines uppercase and lowercase letters, numbers, and special characters
  • Complexity makes passwords resistant to brute force attacks
  • The more character choices, the more secure the password
  • Example:
    • If we only use digits, we only have 10 choices for each character length of the password
      • 4-digit PIN = 10,000 possible combinations
    • Lower case + four character password:
      • 26 x 26 x 26 x 26 = 456,976 possible combinations
      • More than 40x more choices than using only digits
    • Upper case + Lower case + four character password:
      • ${52}^4$ or 7,311,616 choices
    • Secure passwords can be composed of
      • Lowercase letters (26)
      • Uppercase letters (26)
      • Numbers (10)
      • Special characters (~10)
    • aW3+
      • Lowercase letter, uppercase letter, number
      • 72 possible characters for each character length
      • Tip: Change out some letters for numbers and symbols so it is legible but still very secure
        • Example: Sp3c!alP3nc1l
• Password Reuse
  • Avoid using the same password for multiple accounts
  • Reusing passwords increases vulnerability
  • Sometimes systems re designed to remember your password history and it won't let you reuse the same password, so you won't be able to switch between a list of past passwords
    • Sometimes there is a limit of password changes until you can reuse a password
    • Go to "Enforce Password History"
      • Example:
        • If you set it to 24, a user will have to reset their password 24 times before they can use the original password
• Password Expiration
  • Requires users to change passwords after a specific period
  • Overemphasis on expiration can lead to poor password choices
  • This technique is constantly being reconsidered as it often leads to poor passwords, since many people have difficulty remembering a lot of long, strong, and complex passwords.
    • They tend to reuse the same one across multiple sites or simply do some keyboard walking to add something to the end of some basic password
    • Example:
      • P4ssw0rd1
      • P4ssw0rd2
      • ...
  • To configure go to "Maximum Password Age"
• Password Age
  • Password age refers to the time a password has been in use
  • Older passwords have a higher risk of being compromised
  • Without a "Minimum password age", a user might change their password multiple times within a few minutes effectively bypassing the system's password history and using their initial password again.
    • By setting a few days as a minimum password age, organizations can assure that once password are changed, they stay changed for a reasonable period, further bolstering security.
  • Encourages adoption of newer more secure passwords over time
  • To configure go to "Minimum Password Age"

Password Managers

• Tools for storing and managing passwords securely
• Features
  • Password generation
    • Password managers create unique strong passwords for accounts to prevent reuse and enhance security
  • Auto-fill
    • Password managers autofill login details, sparing users the need to recall or input information manually
    • Decrease the chance of human errors
  • Secure sharing
    • Password managers provide secure methods to share passwords without directly disclosing the password itself
    • You can give permissions to other users to log in to the password manager as if they were you but the password manager will actually do the logging in on their behalf and it would never show them the password during a logging process
  • Cross-platform access
    • Password managers offer cross-device compatibility, allowing access to passwords from any location or device
    • Example:
      • Bitwarden application or web portal
• Promote password complexity, prevent reuse, and offer easy access to strong, unique passwords

Passwordless Authentication Methods

• Provide a higher level of security and better user experience
• Methods
  • Biometric Authentication
    • Uses unique biological characteristics to verify an identity
  • Hardware Token
    • Generate ever-changing login codes
  • One-Time Passwords (OTP)
    • Sent to email or phone for one-time use
  • Magic Links
    • One-time links sent via email for automatic login
    • Often valid for a short period of time, and can only be used once, similar to a one-time passcode
  • Passkeys
    • Serves as an authentication tool that integrates with the browser or operating system
    • Rely on device screen lock for authentication
      • Unlock the device using a chosen method