Password Management

Introduction

  • Password management is crucial for organizational security

  • Example: New employee "Mark" trying to set password "password123" but getting rejected due to policy requirements

  • Password security consists of two key components:

    • Policy definition (guidelines)

    • Policy enforcement (technical implementation)

Password Policy Standards

  • Common industry standards include:

    • NIST SP800-63B

    • CIS Password Policy Guide

    • PCI DSS

  • Standards provide baseline security controls but shouldn't be the only measure

  • Different standards may have conflicting approaches (e.g., password expiration requirements)

Essential Password Policy Components

Basic Requirements

  • Minimum length: 8 characters

  • Character complexity:

    • Uppercase letters

    • Lowercase letters

    • Numbers

    • Special characters

  • Change frequency: Every 60 days (though this is debatable based on modern standards)

Blacklisted Elements

  • Company name and variations

  • Industry-related terms

  • Temporal terms (months, seasons)

  • Common words:

    • "welcome"

    • "password"

    • Simple sequences (123456, abcde)

Policy Enforcement Methods

  • Technical Implementation:

    • Active Directory Password Policy GPO

    • Identity Management Systems

  • Organizational Implementation:

    • Clear communication of policies

    • Documented processes and procedures

    • Regular audits and compliance checks

Creating Strong Passwords

Methods

  1. Password Generator Tools:

    • Example: Generated password like "CjDC2x[U"

    • Pros: Very secure

    • Cons: Hard to remember

  2. Passphrase Method:

    • Example: "()The name of my dog is Poppy!"

    • Pros: Easier to remember

    • Cons: Could be vulnerable to OSINT if based on personal information

Password Managers

Types

  1. Online Password Managers:

    • Popular options:

      • 1Password

      • Bitwarden

      • Dashlane

      • Keeper

      • LastPass

      • NordPass

      • RoboForm

    • Features:

      • Cloud synchronization

      • Multi-device support

      • Zero Knowledge Encryption

      • Master password protection

  2. Local Password Managers:

    • Popular options:

      • KeePass

      • KWalletManager

      • Pleasant Password Server

      • Password Safe

    • Features:

      • Local storage

      • No third-party dependency

      • Complete control over database

Core Features to Consider

  • 2FA support

  • Multi-platform compatibility

  • Browser extension availability

  • Autocomplete functionality

  • Import/export capabilities

  • Password generation tools

Alternative Authentication Methods

Passwordless Options

  • Multi-factor Authentication (MFA)

  • FIDO2 authentication standard

    • Hardware keys (e.g., Yubikey)

  • One-Time Password (OTP)

  • Time-based One-Time Password (TOTP)

  • IP-based restrictions

  • Device Compliance systems:

    • Endpoint Manager

    • Workspace ONE

Major Passwordless Providers

  • Microsoft

  • Auth0

  • Okta

  • Ping Identity

Best Practices Summary

  1. Implement strong password policies

  2. Use password managers for complex password management

  3. Consider modern authentication alternatives

  4. Regularly review and update security measures

  5. Provide user training and support

  6. Monitor and audit password-related security events

PreviousFiles & Archives CrackingNextInteracting with Common Services