4.6.5 Password Concepts
Best practices, managers, passwordless.
Password concepts involve the technical and administrative controls used to ensure that secret strings used for authentication remain secure, complex, and resistant to compromise.
Password Security Fundamentals Security professionals must balance usability with strong technical enforcement to prevent unauthorized access. - Length and Complexity: Passwords should be long (12+ characters) and include a mix of uppercase, lowercase, numbers, and symbols to increase entropy. - Complexity Escalation: Systems should be configured to reject common sequences (e.g., "12345") or easily guessable patterns like "Password1". - Dictionary Avoidance: Users must avoid words found in the dictionary, as attackers use automated tools to test millions of known words and variations. - Rotation and Expiration: Policies often require users to change passwords periodically to limit the lifespan of a potentially compromised credential. - Hashing: Systems should never store passwords in plaintext. Instead, they store a cryptographic hash (e.g., MD5 or SHA-256). When a user logs in, the system hashes the input and compares it to the stored value.
Common Password Attacks Attackers exploit human behavior and computational power to bypass authentication. - Dictionary Attack: Uses a pre-defined list of common words, phrases, and "leaked" passwords to find a match against a hash. - Brute Force: A systematic attempt to try every possible combination of characters. - Spraying: Attempting one or two common passwords (like "Summer2023!") against many different user accounts to avoid account lockout triggers.
Password Management Tools Managing dozens of unique, complex passwords is impossible for most humans, necessitating technical aids. - Password Vaults/Managers: Applications like Bitwarden or KeePass store encrypted credentials in a database. The user only needs to remember one strong master key. - Passwordless Authentication: Modern approaches move away from "something you know" entirely, using FIDO2 keys, biometrics, or magic links to verify identity without a traditional password.
Administrative Best Practices - No Sharing/Writing: Enforce policies against sharing credentials or writing them on sticky notes ("post-it" security). - Physical Audits: Periodically check work areas for written passwords. - Credential Testing: With management approval, admins should occasionally run password cracking software against their own hash files to identify weak accounts. - MFA Transition: Because passwords are easily cracked or Phished, they should be supplemented with Multifactor Authentication (MFA).
Quick Recall - MD5 Hash: A 32-character hexadecimal string; if you see this in a database, the password is obscured but the algorithm is considered weak. - Entropy: A measure of password unpredictability; longer is generally better than shorter/complex. - Something you know: The primary authentication factor category for passwords. - Account Lockout: A technical control that thwarts brute force by freezing an account after N failed attempts.