Topic 4A

Authentication

Password Concepts

A password best practices policy instructs users on choosing and maintaining passwords. More generally, a credential management policy should instruct users on how to keep their authentication method secure, whether this be a password, smart card, or biometric ID. The credential management policy also needs to alert users to diverse types of social engineering attacks. Users need to be able to spot phishing and pharming attempts, so that they do not enter credentials into an unsecure form or spoofed site.

To supplement best practice awareness, system-enforced account policies can help to enforce credential management principles by stipulating requirements for user-selected passwords:

be a maximum length

a username within the password and a combination of at least eight uppercase/ lowercase alphanumeric and non-alphanumeric characters)

Password Age—forces the user to select a new password after a set number of days. • Password Reuse and History—prevents the selection of a password that has been used already. The history attribute sets how many previous passwords are blocked. The minimum age attribute prevents a user from quickly cycling through password changes to revert to a preferred phrase.

Password aging and expiration can mean the same thing. However, some systems distinguish between them. If this is the case, aging means that the user can still log on with the old password after the defined period, but they must then immediately choose a new password. Expiration means that the user can no longer sign in with the outdated password and the account is effectively disabled.

You should note that the most recent guidance issued by NIST deprecates some of the "traditional" elements of password best practices, such as complexity, aging, and the use of password hints.

Password reuse can also mean using a work password elsewhere (on a retail website, for instance). This sort of behavior can only be policed by soft policies.