Added explanations for creating and storing passwords.
This commit is contained in:
		
				
					committed by
					
						 Nanne Baars
						Nanne Baars
					
				
			
			
				
	
			
			
			
						parent
						
							72e13889d0
						
					
				
				
					commit
					94b936036a
				
			| @ -14,4 +14,12 @@ | |||||||
|     <div class="adoc-content" th:replace="doc:SecurePasswords_2.adoc"></div> |     <div class="adoc-content" th:replace="doc:SecurePasswords_2.adoc"></div> | ||||||
| </div> | </div> | ||||||
|  |  | ||||||
|  | <div class="lesson-page-wrapper"> | ||||||
|  |     <div class="adoc-content" th:replace="doc:SecurePasswords_3.adoc"></div> | ||||||
|  | </div> | ||||||
|  |  | ||||||
|  | <div class="lesson-page-wrapper"> | ||||||
|  |     <div class="adoc-content" th:replace="doc:SecurePasswords_4.adoc"></div> | ||||||
|  | </div> | ||||||
|  |  | ||||||
| </html> | </html> | ||||||
| @ -1 +1 @@ | |||||||
| secure-passwords.title=Secure Passwords | secure-passwords.title=Secure Passwords | ||||||
| @ -2,6 +2,7 @@ | |||||||
|  |  | ||||||
| The NIST password standard (also known as the https://pages.nist.gov/800-63-3/sp800-63b.html[Special Publications (SP) 800-series]) is a guideline that provides recommendations for implementing secure password systems. | The NIST password standard (also known as the https://pages.nist.gov/800-63-3/sp800-63b.html[Special Publications (SP) 800-series]) is a guideline that provides recommendations for implementing secure password systems. | ||||||
|  |  | ||||||
|  | === Password rules | ||||||
| Here are some of the most important recommendations made by the most recent NIST standard: | Here are some of the most important recommendations made by the most recent NIST standard: | ||||||
|  |  | ||||||
| - *no composition rules* + | - *no composition rules* + | ||||||
| @ -26,4 +27,16 @@ Here are some of the most important recommendations made by the most recent NIST | |||||||
|   * passwords obtained from previous breach corpuses |   * passwords obtained from previous breach corpuses | ||||||
|   * dictionary words |   * dictionary words | ||||||
|   * repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) |   * repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’) | ||||||
|   * context-specific words, such as the name of the service, the username, and derivatives thereof |   * context-specific words, such as the name of the service, the username, and derivatives thereof | ||||||
|  |  | ||||||
|  | === Usability | ||||||
|  |  | ||||||
|  | Besides the recommendations above, the NIST standard also recommends to increase the usability of password forms to increase the likelihood of users choosing a strong and secure password. Some of those are: | ||||||
|  |  | ||||||
|  | - *allow pasting into the password input* + | ||||||
|  |   Users should be able to use the "paste" functionality when entering a password. | ||||||
|  |   Since this facilitates the use of password managers, it also increases the likelihood that the user will choose a strong password. | ||||||
|  | - *allow to display the password* + | ||||||
|  |   Password inputs should have an option to display the entered password to assist the user in successfully entering a password. | ||||||
|  | - *offer a strength meter* + | ||||||
|  |   Add a strength meter on the password creation page to help the user to choose a strong and secure password. | ||||||
| @ -0,0 +1,19 @@ | |||||||
|  | == Are your passwords secure? | ||||||
|  |  | ||||||
|  | What about you? Are your passwords secure? | ||||||
|  |  | ||||||
|  | There are websites that allow to test if one of your accounts got breached in a past data breach. + | ||||||
|  | Go to https://haveibeenpwned.com/Passwords[Have I Been Pwned] or https://www.dehashed.com/[DEHASHED] per example and test if your account got breached. | ||||||
|  | If so, better change your passwords *right now*! | ||||||
|  |  | ||||||
|  | === What can you do to improve security of your account? | ||||||
|  | - *use different passwords for different accounts* + | ||||||
|  |   It is a good thing to NOT use the same password for multiple accounts but rather to use different passwords for each one. | ||||||
|  |   * *use passphrases* + | ||||||
|  |   Use passphrase generators like https://www.rempe.us/diceware/#eff[Diceware] to generate passphrases. | ||||||
|  |   Passphrases are passwords made out of a number of words instead of randomly generated character sequences. | ||||||
|  |   This makes them way easier to remember for us human beings. And by the way: The longer the better! | ||||||
|  |   * *use a password manager* + | ||||||
|  |   If you can't remember all of your different passwords, use a password manager to create an then securely store your passwords. | ||||||
|  | - *use two factor authentication* + | ||||||
|  |   If possible, use two factor authentication methods to add an extra layer of security to your accounts. | ||||||
| @ -0,0 +1,33 @@ | |||||||
|  | == Storing passwords | ||||||
|  |  | ||||||
|  | After a strong and secure password was created, it also has to be stored in a secure way. | ||||||
|  | The NIST gives recommendations on how applications should handle passwords and how to store them securely. | ||||||
|  |  | ||||||
|  | === How should a password be stored? | ||||||
|  |  | ||||||
|  | - first of all: *use encryption and a protected channel for requesting passwords* + | ||||||
|  |   The verifier shall use approved encryption and an authenticated protected channel when requesting memorized secrets | ||||||
|  |   in order to provide resistance to eavesdropping and MitM (Man-in-the-middle) attacks. | ||||||
|  | - *resistant to offline attacks* + | ||||||
|  |   Passwords should be stored in a form that is resistant to offline attacks. | ||||||
|  | - *use salts* + | ||||||
|  |   Passwords should be salted before storing them. | ||||||
|  |   The salt shall have at least 32 bits in length and should be chosen arbitrarily so as to minimize salt value collisions among stored hashes. | ||||||
|  | - *use hashing* + | ||||||
|  |   Before storing a password it should be hashed with a one way key derivation function. | ||||||
|  |   The function takes the password, the salt and a cost factor as inputs and then generates a password hash. + | ||||||
|  |   Examples of suitable key derivation functions: | ||||||
|  |   * Password-based Key Derivation Function 2 (https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-132[PBKDF2]) (as large as possible => at least 10.000 iterations) | ||||||
|  |   * https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-132[BALLOON] | ||||||
|  |   * The key derivation function shall use an approved one-way function such as: | ||||||
|  |     ** Keyed Hash Message Authentication Code (https://pages.nist.gov/800-63-3/sp800-63b.html#FIPS198-1[HMAC]) | ||||||
|  |     ** any approved hash function in https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-107[SP 800-107] | ||||||
|  |     ** Secure Hash Algorithm 3 (https://pages.nist.gov/800-63-3/sp800-63b.html#FIPS202[SHA-3]) | ||||||
|  |     ** https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-38B[CMAC] | ||||||
|  |     ** Keccak Message Authentication Code (KMAC) | ||||||
|  |     ** Customizable SHAKE (cSHAKE) | ||||||
|  |     ** https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-185[ParallelHash] | ||||||
|  | - *memory hard key derivation function* + | ||||||
|  |   Use memory hard key derivation functions to further increase the needed cost to perform attacks. | ||||||
|  | - *high cost factor* + | ||||||
|  |   The cost factor (iteration count) of the key derivation function should be as large as verification server performance will allow. (at least 10.000 iterations) | ||||||
| @ -1,9 +1,8 @@ | |||||||
| == Secure Passwords | == Secure Passwords | ||||||
| In this lesson the user will learn about how to create secure passwords. | In this lesson the user will learn about how to create strong passwords and how to store them in a secure way. | ||||||
| We will take a look at most important recommendations made by the NIST password standard. | We will take a look at most important recommendations made by the NIST password standard. | ||||||
|  |  | ||||||
| Goals: | Goals: | ||||||
|  |  | ||||||
| - The user knows how a secure password should look like and what specifications it should fulfill | - The user knows how a strong password should look like and what specifications it should fulfill | ||||||
| - The user has a basic understanding of how to implement a secure password system | - The user has a basic overview of what to pay attention to when developing an application that stores passwords | ||||||
|  |  | ||||||
		Reference in New Issue
	
	Block a user