Audio version of the article
Authentication information such as passwords, encryption keys, and card chips are the gateway to information systems that host sensitive information assets.Poor management or improper allocation of authentication information may result in unauthorized access to information systems and in loss of confidentiality, availability, and integrity of sensitive information assets.Research shows that 30% of all data breaches occur as a result of weak passwords or poor password management practices.Therefore, organisations should have a robust authentication information management process in place to allocate, manage and protect authentication information. Organisations must properly allocate and manage authentication information, eliminate risks of failure in the authentication process and prevent security risks that may arise due to compromise of authentication information.Authentication management is an important practice for an organisation. One of the most effective methods of information security breaches is the circumvention of the authentication process. Therefore, it is crucial that organisation considers aspects such as:
- Non Guessable, Unique Password and Personal Identification number (PINS) generated automatically.
- Procedure to identify and verify the temporary and permanent Authentication Methods
- Authentication Information Transferred to a secure location using a secure manner.
- Dodgy Authentication Devices and methods to be removed from the system.
It is beneficial for the organisation to record the details of authentication methods in a well-structured document. Identifying the responsibilities of the users and all relevant authentication methods.
Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information.
To ensure proper entity authentication and prevent failures of authentication processes.
ISO 27001 Implementation Guidance
Allocation of authentication information
The allocation and management process should ensure that:
a) personal passwords or personal identification numbers (PINs) generated automatically during enrollment processes as temporary secret authentication information are non-guessable and unique for each person, and that users are required to change them after the first use;
b) procedures are established to verify the identity of a user prior to providing new, replacement or temporary authentication information;
c) authentication information, including temporary authentication information, is transmitted to users in a secure manner (e.g. over an authenticated and protected channel) and the use of unprotected (clear text) electronic mail messages for this purpose is avoided;
d) users acknowledge receipt of authentication information;
e) default authentication information as predefined or provided by vendors is changed immediately following installation of systems or software;
f) records of significant events concerning allocation and management of authentication information are kept and their confidentiality is granted, and that the record-keeping method is approved (e.g. by using an approved password vault tool).
Any person having access to or using authentication information should be advised to ensure that:
a) secret authentication information such as passwords are kept confidential. Personal secret authentication information is not to be shared with anyone. Secret authentication information used in the context of identities linked to multiple users or linked to non-personal entities are solely shared with authorized persons;
b) affected or compromised authentication information is changed immediately upon notification of or any other indication of a compromise;
c) when passwords are used as authentication information, strong passwords according to best practice recommendations are selected, for example:
- passwords are not based on anything somebody else can easily guess or obtain using person- related information (e.g. names, telephone numbers and dates of birth);
- passwords are not based on dictionary words or combinations thereof;
- use easy to remember passphrases and try to include alphanumerical and special characters;
- passwords have a minimum length;
d) the same passwords are not used across distinct services and systems;
e) the obligation to follow these rules is also included in terms and conditions of employment .
Password management system
When passwords are used as authentication information, the password management system should:
a) allow users to select and change their own passwords and include a confirmation procedure to address input errors;
b) enforce strong passwords according to good practice recommendations of “User responsibilities;
c) force users to change their passwords at first login;
d) enforce password changes as necessary, for example after a security incident, or upon termination or change of employment when a user has known passwords for identities that remain active (e.g. shared identities);
e) prevent re-use of previous passwords;
f) prevent the use of commonly-used passwords and compromised usernames, password combinations from hacked systems;
g) not display passwords on the screen when being entered;
h) store and transmit passwords in protected form.Password encryption and hashing should be performed according to approved cryptographic techniques for passwords
Passwords or passphrases are a commonly used type of authentication information and are a common means of verifying a user’s identity. Other types of authentication information are cryptographic keys,data stored on hardware tokens (e.g. smart cards) that produce authentication codes and bio metric data such as iris scans or fingerprints. Additional information can be found in the ISO series. Requiring frequent change of passwords can be problematic because users can get annoyed by the frequent changes, forget new passwords, note them down in unsafe places, or choose unsafe passwords. Provision of Single Sign On (SSO) or other authentication management tools (e.g. password vaults) reduces the amount of authentication information that users are required to protect and can thereby increase the effectiveness of this control. However, these tools can also increase the impact of disclosure of authentication information. Some applications require user passwords to be assigned by an independent authority. In such cases, a), c) and d) of “Password management system” do not apply.
Guidance on Allocation of Authentication Information
Secret authentication information is a gateway to access valuable assets. It typically includes passwords, encryption keys etc. so needs to be controlled through a formal management process and needs to be kept confidential to the user. This is usually tied into employment contracts , disciplinary processes and supplier obligations if sharing with external parties. Procedures should be established to verify the identity of a user prior to providing new, replacement or temporary secret authentication information. Any default secret authentication information provided as part of a new system use should be changed as soon as possible. Organisations should comply with the following six requirements for allocation and management of authentication information:
- When personal passwords or personal identification numbers are generated automatically for enrollment of new users, they should be non-guessable. Furthermore, passwords should be unique to each user and it must be mandatory to change passwords after the first use.
- Organisations should establish robust procedures to authenticate the identity of a user before he/she is granted a new or replacement authentication information or he/she is provided with temporary information.
- Organisations should ensure the secure transmission of authentication information to individuals via secure channels and they should not send this information over insecure electronic messages (e.g clear text).
- Users should confirm the receipt of the authentication information.
- After new IT systems and software programs are installed, organisations should change the default authentication information immediately.
- Organisations should establish and maintain records of all important events related to management and allocation of authentication information. Furthermore, these records should be kept confidential and record-keeping methods should be authorized such as through the use of an approved password tool.
Guidance on User Responsibilities
This is simply about making sure that users follow the policies and will therefore tie in with Human Resource Security for contracts, user education for awareness and compliance, as well as common sense practices.These include: Keep any secret authentication information confidential; Avoid keeping a record of it that can be accessed by unauthorized parties; Change it whenever there is any suggestion of possible compromise; select quality passwords with sufficient minimum length and strength to follow broader password policy controls.Users who can access to and use authentication information should be instructed to comply with the following:
- Users must maintain the confidentiality of secret authentication information such as passwords and should not share such secret information with anyone else. When multiple users are involved in the use of authentication information or the information is linked to non-personal entities, the authentication information should not be disclosed to unauthorized persons.
- Users must change their passwords immediately if the confidentiality of their passwords are compromised.
- Users should select hard-to-guess strong passwords by following industry best practices. For instance:
- Passwords should not be selected based on personal information that is easy to obtain, such as names or dates of birth.
- Passwords should not be created based on anything that can be easily guessed.
- Passwords should not include dictionary words or combinations of these words.
- Alphanumeric and special characters should be used in the password.
- There should be a minimum length for passwords.
- Users should not use the same password for different services.
- Organisations should include the requirements for creation and use of passwords in their employment contracts with their employees.
Users should be made aware of their responsibilities towards protecting their issued credentials, choosing strong passwords and keeping them confidential, and preventing the unauthorized disclosure of sensitive information under their care. The following can be included in the institution’s Acceptable Use of Information Security Policy. Systems should be locked when left unattended Users shall
- Access data in order to comply with the duties of their role or job duties on a need to know basis.
- Not attempt to access data or programs contained on systems for which they do not have authorization or consent.
- Not share their computer/network account, password, personal identification number (PIN), digital certificate, security token (i.e. Smartcard), or any other device used for identification and authorization purposes.
- Not share digital certificate passwords used for digital signatures.
- Not circumvent password entry through the use of auto logon, application “remember password” features, embedded scripts or hard-coded passwords in client software.
- Password-protect their desktops/laptops when left unattended
Guidance on Password Management Systems
The purpose of a password management system is to ensure quality passwords meet the required level and are consistently applied. Password generation and management systems provide a good way of centralizing the provisioning of access and they serve to reduce the risk of people using the same login for everything, as illustrated in this little story of what happens when a customer contacts our team about a forgotten password. As with any control mechanism, password generation and management systems need to be carefully implemented to ensure adequate and proportionate levels of protection. Wherever possible users should be able to choose their own passwords as this makes them easier to remember than machine-generated ones, however, it needs to be up to a certain level of strength. There are lots of conflicting views on password management systems and password policies so we encourage organisations to look at the frequently changing best practices and adopt approaches based on the risk appetite and culture of the organisation. Organisations should comply with the following when establishing a password management system:
- Users should be allowed to create and change their passwords and there should be a confirmation procedure in place to ensure that input errors are identified and resolved.
- Organisations should implement a strong password selection process, taking into account industry best practices for password selection.
- Users should be forced to change their default passwords after they first access a system.
- Password changes should be implemented when it is necessary. For example, password change will be necessary after a security incident or following the termination of an employment with a user if that user has access to passwords.
- Previous passwords should not be reused.
- Use of highly common passwords or compromised passwords or usernames used for access to hacked systems should be prohibited.
- When passwords are entered, they should be visible on the screen in plain text.
- Passwords should be stored and transferred via protected channels and in a secure format.
Furthermore, organisations should perform hashing and encryption techniques in accordance with the authorized cryptography methods for passwords.
It is important to realize that people will share their passwords unless you provide them with some other method of allowing specific individuals to access information in their accounts. For instance, individuals in upper management often ask an administrative assistant to check their e-mail. Also, when people go on vacation, they may need to give someone temporary access to data on their computers, in the e-mail, and on other systems. Password sharing policies should be put in place along with solutions that provide needed functionality with accountability for the shared resource.
Good Password Practices:
- Use strong passwords or long passphrases
- Do NOT write passwords down
- Do NOT share passwords
- Use different passwords for different applications (e.g., work vs personal; shopping, and banking vs casual email and Facebook; applications that contain confidential information vs those that do not, etc.)
What is a Strong Password?
The strength of a password is determined by some restrictions – like minimum length, password age, use of multiple types and special characters, and reuse restrictions – which determines the average number of guesses an attacker must try to guess the password and ease with which the attacker can test the validity of the guessed password. Password entropy is a mathematical way to measure the difficulty of guessing or determining a password. As applied to passwords, guessing entropy is the estimate of the average amount of work needed to guess a password. Min-entropy is the measure of the difficulty of guessing the easiest single password to guess in the population. Password entropy is expressed in bits. If a password of k bits is chosen at random there are 2 to the k exponential possible values and the password is said to have k bits of entropy. If a password of length l characters is chosen at random from an alphabet of b characters (e.g., the 94 printable characters on a typical keyboard) then the entropy of the password is b to the l exponential. See the following InCommon Assurance link for Password Entropy. An example of a reasonably strong password is:
- An attack targeted against the password should have a probability of success of less than 2 to the -14 exponential (i.e., 1 chance in 16,384) over the life of the password.
- Has at least 10 bits of min-entropy
- Has a minimum length of 10 characters
- Does not contain a username, personal name, or organizational name
- Avoids repetition or dictionary words
- Contains a mix of upper and lower case alpha characters
- Has at least 2 non-alpha characters (i.e., numerals and/or special characters)
- Has a password life of 90 days
- Has not been used before (i.e., no password reuse)
To Change or Not to Change Passport ? How Often?
Again, there are as many answers to these questions as there are information security professionals. The argument for changing passwords regularly is that the longer a password remains the same and the more often the same password is used, then it is more likely that the password will be discovered or compromised. Also, the benefit of an “expiration date” on a password is that it limits the amount of time a lost or compromised password can be used by an unauthorized party. The more secure or sensitive information resources, the more frequently passwords should be changed. Conversely, the argument against changing passwords regularly is that strong passwords are reasonably secure and they take longer time and more effort to guess thus making them less likely to be discovered or compromised. Also, it may not be as easy to come up with easy to remember a strong password every 30 or 60 days. Even though there is no “right” or “perfect” answer, the following points are worth considering:
- Password policy should be based on risk, vulnerabilities, and deployed safeguards
- The period of time between changes should be determined by the required strength of the passwords being used
- Password changes make it harder for users to use the same password for multiple services (i.e., forces password “diversity”)
- Periodic password changes, especially when done as a routine, could limit successful phishing attempts since users would know when it is time to change passwords and when it is not.
Password Management Problems: By no means a comprehensive list
- Need (and failure) to remember multiple passwords
- Need (and failure) to remember strong passwords
- The frequency of password change
- Coming up with easy to remember but difficult to hack passwords multiple times per year
- Need to replicate password change to multiple devices or applications
- The sophistication of social engineering and “phishing” attacks
A passphrase is just a different way of thinking about a “secret” or “something you know”. The main difference is that a passphrase is longer. While a usual password is 8 to 10 characters long, a passphrase can be twice as long. Compared to passwords, a passphrase is generally stronger because it is more memorable than passwords thus reducing the need to write them down, they make some types of brute force attacks impractical since they are much longer than passwords, and they make phrase or quote dictionary attacks almost impossible if the passphrase is well constructed.
Guidance on Control 5.17
In addition to passwords, there are other types of authentication information such as cryptographic keys, smart cards and bio metric data such as fingerprints. Organisations are advised to refer to ISO Series for more detailed guidance on authentication information. Considering that frequent change of passwords might be cumbersome and annoying for users, organisations may consider implementing alternative methods such as single sign-on or password vaults. However, it should be noted that these alternative methods may expose authentication information to higher risk of unauthorized disclosure.