Categories Topics
Description
Password Usage

Overview
Password is a secret phrase or text used to authenticate and prove identity to gain access to a resource, such as system, application or data. Passwords are intended to not be shared and should be carefully controlled to prevent unauthorized access to sensitive information.

Guidelines
Passwords used for access to system resources should adhere to the following requirements:
  • A minimum of 10 characters
  • A minimum of one numeric character
  • A minimum of one lower case letter and one upper case letter
  • A minimum of one special character (e.g. @, $, #)
  • Unique to previous 12 passwords
  • Must not be programmed into scripts or configuration files
  • User passwords should be changed at least every 90 days
  • System ID passwords should be changed at least every 12 months
  • Must be changed on first logon
  • Maximum number of failed login attempts should be 5 within a 24 hour period before account is disabled (until reset by an approved service or administrator)
For users and devices that need to authenticate to Windows-based Active Directory (AD), most password settings can be configured via an AD Domain and Group Policy. AD or equivalent LDAP solution is the most efficient mechanism to configure and enforce password controls consistently across a large number of devices to meet the organization's policy. For example, users could be notified by the system automatically when passwords need to change and/or if a password change does not meet the password policy.

System accounts used for Privileged Access (e.g. Root, Administrator) should have additional controls in place to control password usage. Privileged system accounts should also not be used for day-to-day system administrative activities to manage systems due to lack of accountability. To help control usage of privileged accounts, a Password repository or "vault" can also be used. A password vault can be used to ensure privileged account password is used only after authorization by system or data owner, has a limited timeframe for usage, justification (e.g. production sytem outage), and is changed before/after each use. Privileged account passwords should also record who checked out the privileged account, to ensure accountability. Alternative controls and best practice would be to leverage separate Administrator or "Super User" accounts that are owned by an individual to better enhance auditing of system access, accountability and forensics capabilities.

Special note regarding password rotations: many organizations have been limited to using a blanket policy to enforce password controls for both system and user accounts. Although this is highly effective to enforce user access password policy, this sometimes can be a significant cost burden to organizations in order to change system passwords. Why? Many solutions integrate system account authentication with multiple systems and tiers of applications that make it more time consuming and expensive to change passwords. Mistakes can lead to degraded application availability as well. Alternatively, monitoring and restricting system account access may be more effective controls as previously mentioned. Applications should also have highly available and redundant systems and applications (e.g. primary, secondary), each with separate accounts to better enable configuration and password management during specified maintenance windows.


Topic Category
Access Control
 
News Articles
500 Million Breached Passwords Released by Researcher to Help Organizations Protect Their Systemswww.tripwire.com2/23/2018
Reddit rolls out 2FA to all its userswww.tripwire.com1/25/2018
Lifestyle pin-up site Pinterest: Hack attempts blamed on 'credential stuffing'www.theregister.co.uk12/11/2017
Hackers reveal leading enterprise security blind spotswww.zdnet.com9/19/2017
Scottish Parliament Targeted by Brute Force Attackerswww.tripwire.com8/16/2017
Freelancer.com alerts users to recycled compromised credentials in its databasewww.zdnet.com7/28/2017
An internet-connected fish tank let hackers into a casino’s networkwww.helpnetsecurity.com7/27/2017
Blame shoddy security for UK parliament hack, says reportwww.zdnet.com7/6/2017
Virgin Media tells 800,000 customers to change passwords after routers found vulnerable to hackerswww.zdnet.com6/23/2017
Shift in password strategy from NISTwww.scmagazine.com5/22/2017
LastPass now supports 2FA auth, completely undermines 2FA authwww.theregister.co.uk5/19/2017
Apple iCloud hack threat gets worse: Here's what we've learnedwww.zdnet.com3/28/2017
Facebook gets physical for safer loginswww.helpnetsecurity.com1/27/2017
Password-free security uses voice, user behavior to verify identitywww.computerworld.com1/26/2017
Researchers propose a way to use your heartbeat as a passwordwww.computerworld.com1/20/2017
Unprotected MongoDB Databases Wiped and Held for Ransom by Attackerwww.tripwire.com1/4/2017
Groupon frauds blamed on third-party password breacheswww.theregister.co.uk12/22/2016
KFC Urges Users to Change Passwords After Attack against Websitewww.tripwire.com12/13/2016
LastPass brings free password management to all your deviceswww.zdnet.com11/2/2016
43+ million users affected by confirmed Weebly breachwww.helpnetsecurity.com10/21/2016
Clinton campaign chief’s Twitter, iCloud accounts hijackedwww.helpnetsecurity.com10/14/2016
IoT botnet highlights the dangers of default passwordswww.computerworld.com10/3/2016
Yahoo uncovered breach after probing a black market salewww.computerworld.com9/23/2016
Change your password! Yahoo confirms data breach of 500 million accountsnakedsecurity.sophos.com9/23/2016
Dropbox commended for its handling of massive data breach involving 68M userswww.scmagazine.com8/31/2016
Sony enables two-factor authentication for PlayStationwww.scmagazine.com8/26/2016
Dropbox prompts users to reset old passwordswww.zdnet.com8/26/2016
'Password attacks' continue; Citrix becomes latest victimwww.scmagazine.com6/20/2016
Twitter locks some accounts after passwords exposedwww.computerworld.com6/10/2016
Facebook, Netflix trigger password resets in wake of recent hackswww.zdnet.com6/7/2016
Mark Zuckerberg's Twitter and Pinterest password was 'dadada'www.theregister.co.uk6/6/2016
Password Re-user? Get Ready to Get Busykrebsonsecurity.com6/6/2016
Password reuse bot steals creds from weak sites, logs in to bankswww.theregister.co.uk5/24/2016
Google wants to kill off passwords for logging into your Android smartphonewww.zdnet.com5/24/2016
Beware: the password testing tool that saved and shared your passwordsnakedsecurity.sophos.com3/31/2016
Anyone could pull off a LostPass phishing attack to get all your LastPass passwordswww.networkworld.com1/17/2016
Fitbit users fall victim to account takeovers. Don’t reuse passwords!nakedsecurity.sophos.com1/11/2016
LastPass 4.0 gives others access to your password vault in emergencieswww.zdnet.com1/5/2016
Google tries again to kill the password, tests new auth idea via your phonewww.computerworld.com12/23/2015
Amazon force-resets some account passwords, citing password leakwww.zdnet.com11/24/2015
Snapchat steps up its security with login verificationnakedsecurity.sophos.com6/11/2015
This Hacked Kids’ Toy Opens Garage Doors in Secondswww.wired.com6/4/2015
Hackers are draining bank accounts via the Starbucks appmoney.cnn.com5/13/2015
Google updates Password Alert to block attack that mutes phishing warningswww.zdnet.com5/1/2015
Update: Credit card terminals have used same password since 1990swww.computerworld.com4/23/2015
Puush urges users to change passwords after cyber attackwww.scmagazine.com3/30/2015
Microsoft wants to kill passwords with biometric authentication in Windows 10www.computerworld.com3/18/2015
A New, Simple Way to Log Inyahoo.tumblr.com3/15/2015
Windows 10 will work with FIDO specs for password-free access, says Microsoftnakedsecurity.sophos.com2/18/2015
Apple's "two-step" security now protects iMessage and FaceTime, toonakedsecurity.sophos.com2/13/2015
Taylor Swift's Twitter and Instagram accounts hackednakedsecurity.sophos.com1/28/2015
Password Re-use Fuels Starwood Fraud Spikekrebsonsecurity.com1/22/2015
Security group plans for a future without passwordswww.computerworld.com12/9/2014
Strengthening 2-Step Verification with Security Keygoogleonlinesecurity.blogspot.com10/21/2014
Apple implements two-factor authenticationwww.scmagazine.com9/17/2014
Gmail users urged to change passwords after apparent attackwww.computerworld.com9/10/2014
JLaw, Kate Upton exposed in celeb nude pics hackwww.theregister.co.uk8/31/2014
Who needs hackers? 'Password1' opens a third of all biz doorswww.theregister.co.uk8/15/2014
Survey: 53 percent change privileged logins quarterlywww.scmagazine.com7/25/2014
Obamacare enrollees urged to change passwords over Heartbleed bugwww.cnbc.com4/21/2014
5 biometric alternatives to the passwordwww.cnn.com4/4/2014
Google acquires password sounds startup SlickLoginnews.cnet.com2/17/2014
PayPal 'n' Google's FIDO drops 'simpler, stronger' secure login specwww.theregister.co.uk2/12/2014
Multifactor authentication extended to all Office 365 usersnews.cnet.com2/10/2014
Change your passwords: Comcast hushes, minimizes serious hackwww.zdnet.com2/9/2014
Yahoo Mail accounts breached with stolen passwordsnews.yahoo.com1/30/2014
Syrian Electronic Army Hacks CNN Social Media, Microsoft Transparency Datathreatpost.com1/27/2014
Botnet PC armies gulp down 16 MILLION logins from around the web: Find out if you're a victimwww.theregister.co.uk1/22/2014
SEA hijacks Microsoft Twitter accounts, Xbox support blog and Technetnakedsecurity.sophos.com1/14/2014
CES 2014: A Technological Assault on the Passwordwww.technologyreview.com1/8/2014
Reusing Passwords Across Social Media Sites: Don't Do That!securitywatch.pcmag.com1/7/2014
Narrative-Based Authentication Latest Proposed Alternative to Passwordsthreatpost.com1/6/2014
Microsoft Adds New Security Features to Accountsthreatpost.com12/10/2013
Google eyes password-free authentication in Chrome OSnews.cnet.com12/10/2013
Buffer launches two-factor authentication after breachwww.zdnet.com11/26/2013
GitHub accounts with feeble passwords fall to brute force attackwww.zdnet.com11/20/2013
Facebook mines Adobe breach data for reused passwords, warns users to change them or disappearwww.zdnet.com11/12/2013
Just how bad are the top 100 passwords from the Adobe hack? (Hint: think really, really bad)www.zdnet.com11/4/2013
Lessons to learn from the MongoHQ database breachnakedsecurity.sophos.com10/31/2013
Microsoft's swipe'n'swirl pic passwords LESS secure than PINs, warn researcherswww.theregister.co.uk9/13/2013
Yahoo's Mayer gives phone passcodes a passnews.cnet.com9/11/2013
Apple Announces iPhone 5s—The Most Forward-Thinking Smartphone in the Worldwww.apple.com9/10/2013
Password breaker successfully tackles 55 character sequenceswww.zdnet.com8/27/2013
Anatomy of a brute force attack - how important is password complexity?nakedsecurity.sophos.com8/16/2013
Fort Disco Brute-Force Attack Campaign Targets CMS Websitesthreatpost.com8/7/2013
Researchers able to predict Apple iOS-generated hotspot passwordswww.zdnet.com6/18/2013
Google security: You (still) are the weakest linknews.cnet.com5/16/2013
Weak, Easy-to-Remember Passwords a Familiar Crutch for Usersthreatpost.com5/16/2013
Are you Hackable or Uncrackable? “Password Day” is Today!blogs.mcafee.com5/7/2013
Do unseen passwords really need masking?www.zdnet.com5/6/2013
Report: Twitter warns news outlets to be on guard against account takeover attemptswww.scmagazine.com4/30/2013
Hackers send bogus tweets from '60 Minutes' accountnews.cnet.com4/20/2013
Microsoft Account Gets More Secureblogs.technet.com4/17/2013
Missouri Court Rules Against $440,000 Cyberheist Victimkrebsonsecurity.com3/26/2013
Apple pulls iForgot password recovery system over security bugwww.theregister.co.uk3/23/2013
Password's rotten core not complexity but reusewww.zdnet.com3/22/2013
Apple adds two-factor authentication to Apple IDwww.zdnet.com3/22/2013
One password cracked and your business is historywww.zdnet.com3/19/2013
What 420,000 insecure devices reveal about Web securitynews.cnet.com3/18/2013
Evernote Forces Password Reset for 50M Userskrebsonsecurity.com3/2/2013
Dropbox users getting spammed, might be from earlier hacknews.cnet.com2/28/2013
Biometric USB password key worthy of 'Mission: Impossible'news.cnet.com2/20/2013
Change your passwords: Comcast hushes, minimizes serious hackwww.zdnet.com2/9/2013
Twitter clients stay signed in with pre-breach passwordswww.theregister.co.uk2/4/2013
Twitter breach leaks emails, passwords of 250,000 userswww.theregister.co.uk2/2/2013
Spammers joyride Doctor Who's Twitter TARDIS, turn man into Shirley Templewww.theregister.co.uk1/28/2013
Scottish Power blows a fuse after Twitter hijackingwww.theregister.co.uk1/25/2013
Passwords hanging around like an ugly old dorm couchwww.zdnet.com1/10/2013
Exploring the Market for Stolen Passwordskrebsonsecurity.com12/26/2012
GPU cluster can crack any NTLM 8-character hashed password in 5.5 hourswww.infosecurity-magazine.com12/10/2012
GPU-stuffed monster cracks Windows passwords in minuteswww.theregister.co.uk12/7/2012
Debunking RIM's BlackBerry 10 password 'blacklist'; enterprise security still a top prioritywww.zdnet.com12/7/2012
Who's using 'password' as a password? TOO MANY OF YOUwww.theregister.co.uk12/3/2012
Hexing MAC address reveals Wifi passwordswww.theregister.co.uk11/23/2012
Skype Restores Password Resets, Repairs Flaw that Allows Account Hijackingthreatpost.com11/14/2012
Twitter user passwords reset after accounts breachedwww.zdnet.com11/8/2012
With weak passwords continuing, blame turns to security proswww.csoonline.com10/25/2012
Fighting Hackers: Everything You’ve Been Told About Passwords Is Wrongwww.wired.com10/18/2012
Gizmodo's Twitter account hackedwww.zdnet.com8/4/2012
Employee password reuse behind Dropbox spam outbreakwww.scmagazine.com8/1/2012
Homeland Security warns of hackers targeting popular Niagara softwarewww.washingtonpost.com7/13/2012
25 most-used passwords revealed: Is yours one of them?www.zdnet.com6/8/2012
Hacker Claims He Stole 4.5M LinkedIn Password Hasheswww.wired.com6/6/2012
LinkedIn password breach: How to tell if you're affectedwww.zdnet.com6/6/2012
Police called after Romney's email and Dropbox accounts crackedwww.theregister.co.uk6/6/2012
Google to Warn Possible Victims of State-Sponsored Spyingwww.wired.com6/5/2012
Utah CIO Steve Fletcher Resigns, State Promises Security Reformswww.govtech.com5/15/2012
Zappos customer data accessed in security breachnews.cnet.com1/15/2012
Another PlayStation Network breach stings Sony customerswww.scmagazineus.com10/12/2011
DigiNotar Files for Bankruptcy in Wake of Devastating Hackwww.wired.com9/20/2011
Policies
Password Management Policy