Nanne Baars
Nanne Baars
parent
32a41debad
commit
b23b428763
@ -1,8 +1,10 @@
|
||||
== National Institute of Standards and Technology (NIST)
|
||||
=== National Institute of Standards and Technology (NIST)
|
||||
|
||||
The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce.
|
||||
|
||||
Its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
|
||||
|
||||
NIST develops Federal Information Processing Standards (FIPS) which the Secretary of Commerce approves and with which federal agencies must comply.
|
||||
NIST develops Federal Information Processing Standards (FIPS), which the Secretary of Commerce approves and federal agencies must comply with.
|
||||
|
||||
NIST also provides guidance documents and recommendations through its Special Publications (SP) 800-series.
|
||||
These guidelines often become the foundation for best practice recommendations across the security industry and are incorporated into other standards.
|
||||
|
||||
@ -1,42 +1,40 @@
|
||||
== NIST password standard
|
||||
=== NIST password standard
|
||||
|
||||
The NIST password standard (also known as the https://pages.nist.gov/800-63-3/sp800-63b.html[Special Publications (SP) 800-series]) is a guideline that provides recommendations for implementing secure password systems.
|
||||
|
||||
=== Password rules
|
||||
==== Password rules
|
||||
Here are some of the most important recommendations made by the most recent NIST standard:
|
||||
|
||||
- *no composition rules* +
|
||||
Do not request the user to e.g. use at least one upper case letter and a special character on their password.
|
||||
Give them the opportunity to, but do not force them!
|
||||
Do not request the user to, e.g., use at least one upper case letter and a special character on their password.
|
||||
Please give them the opportunity to, but do not force them!
|
||||
- *no password hints* +
|
||||
If you wanted people have a better chance at guessing your password, write it on a note attached to your screen.
|
||||
If you wanted people to have a better chance at guessing your password, write it on a note attached to your screen.
|
||||
- *no security questions* +
|
||||
Security questions, also known as knowledge-based authentication (KBA) are outdated.
|
||||
Asking a user “What’s the name of your pet?” or something similar to check if it’s really him, is pretty unsecure.
|
||||
Security questions, also known as knowledge-based authentication (KBA), are outdated.
|
||||
Asking a user, "What's the name of your pet?" or something similar to check if it's him is pretty insecure.
|
||||
- *no unnecessary changing of passwords*
|
||||
If you want users to comply and choose long, hard-to-guess passwords, you should not make them change those passwords unnecessarily after a certain period of time.
|
||||
If you want users to comply and choose long, hard-to-guess passwords, you should not make them change those passwords unnecessarily after a certain period.
|
||||
- *minimum size of 8 characters* +
|
||||
A secure password nowadays should be at LEAST 8 characters long (up to 64).
|
||||
This is a minimum, not a maximum minimum!
|
||||
A secure password nowadays should be at LEAST 8 characters long (up to 64).
|
||||
This is a minimum, not a maximum-minimum!
|
||||
- *support all UNICODE characters* +
|
||||
You should allow all kind of UNICODE characters in a password.
|
||||
This also includes emojis and whitespaces.
|
||||
- *strength meter* +
|
||||
Add a strength meter on the password creation page to help the user to choose a strong and secure password.
|
||||
It would help if you allowed all kinds of UNICODE characters in a password.
|
||||
This also includes emojis and whitespaces.
|
||||
- *check the password against known bad choices*
|
||||
* passwords obtained from previous breach corpuses
|
||||
* dictionary words
|
||||
* repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
|
||||
* context-specific words, such as the name of the service, the username, and derivatives thereof
|
||||
* passwords obtained from previous breach corpuses
|
||||
* dictionary words
|
||||
* repetitive or sequential characters (e.g. 'aaaaaa', '1234abcd')
|
||||
* context-specific words, such as the name of the service, the username, and derivatives thereof
|
||||
|
||||
=== Usability
|
||||
==== Usability
|
||||
|
||||
Besides the recommendations above, the NIST standard also recommends to increase the usability of password forms to increase the likelihood of users choosing a strong and secure password. Some of those are:
|
||||
Besides the recommendations above, the NIST standard also recommends increasing the usability of password forms to increase the likelihood of users choosing a strong and secure password. Some of those are:
|
||||
|
||||
- *allow pasting into the password input* +
|
||||
Users should be able to use the "paste" functionality when entering a password.
|
||||
Since this facilitates the use of password managers, it also increases the likelihood that the user will choose a strong password.
|
||||
- *allow to display the password* +
|
||||
Password inputs should have an option to display the entered password to assist the user in successfully entering a password.
|
||||
Users should be able to use the "paste" functionality when entering a password.
|
||||
Since this facilitates the use of password managers, it also increases the likelihood that the user will choose a strong password.
|
||||
- *allow displaying the password* +
|
||||
Password inputs should have an option to display the entered password to assist the user in successfully entering a password.
|
||||
- *offer a strength meter* +
|
||||
Add a strength meter on the password creation page to help the user to choose a strong and secure password.
|
||||
Add a strength meter on the password creation page to help the user choose a strong and secure password.
|
||||
|
||||
@ -1,19 +1,19 @@
|
||||
== Are your passwords secure?
|
||||
=== Are your passwords secure?
|
||||
|
||||
What about you? Are your passwords secure?
|
||||
|
||||
There are websites that allow to test if one of your accounts got breached in a past data breach. +
|
||||
There are dedicated websites that allow searching if one of your accounts got breached in a past data breach. +
|
||||
Go to https://haveibeenpwned.com/Passwords[Have I Been Pwned] or https://www.dehashed.com/[DEHASHED] per example and test if your account got breached.
|
||||
If so, better change your passwords *right now*!
|
||||
|
||||
=== What can you do to improve security of your account?
|
||||
==== What can you do to improve the security of your account?
|
||||
- *use different passwords for different accounts* +
|
||||
It is a good thing to NOT use the same password for multiple accounts but rather to use different passwords for each one.
|
||||
* *use passphrases* +
|
||||
Use passphrase generators like https://www.rempe.us/diceware/#eff[Diceware] to generate passphrases.
|
||||
Passphrases are passwords made out of a number of words instead of randomly generated character sequences.
|
||||
This makes them way easier to remember for us human beings. And by the way: The longer the better!
|
||||
* *use a password manager* +
|
||||
If you can't remember all of your different passwords, use a password manager to create an then securely store your passwords.
|
||||
- *use two factor authentication* +
|
||||
If possible, use two factor authentication methods to add an extra layer of security to your accounts.
|
||||
It is a good thing NOT to use the same password for multiple accounts but rather to use different passwords.
|
||||
* *use passphrases* +
|
||||
Use passphrase generators like https://www.rempe.us/diceware/#eff[Diceware] to generate passphrases.
|
||||
Passphrases are passwords made out of several words instead of randomly generated character sequences.
|
||||
This makes them way easier to remember for us human beings. And by the way: The longer, the better!
|
||||
* *use a password manager* +
|
||||
If you can't remember your different passwords, use a password manager to create and securely store your passwords.
|
||||
- *use two-factor authentication* +
|
||||
If possible, use two-factor authentication methods to add an extra layer of security to your accounts.
|
||||
|
||||
@ -1,33 +1,32 @@
|
||||
== Storing passwords
|
||||
=== Storing passwords
|
||||
|
||||
After a strong and secure password was created, it also has to be stored in a secure way.
|
||||
After a strong and secure password was created, it also has to be stored securely.
|
||||
The NIST gives recommendations on how applications should handle passwords and how to store them securely.
|
||||
|
||||
=== How should a password be stored?
|
||||
==== How should a password be stored?
|
||||
|
||||
- first of all: *use encryption and a protected channel for requesting passwords* +
|
||||
The verifier shall use approved encryption and an authenticated protected channel when requesting memorized secrets
|
||||
in order to provide resistance to eavesdropping and MitM (Man-in-the-middle) attacks.
|
||||
The verifier shall use approved encryption and an authenticated protected channel to resist eavesdropping and MitM (Man-in-the-middle) attacks when requesting memorized secrets.
|
||||
- *resistant to offline attacks* +
|
||||
Passwords should be stored in a form that is resistant to offline attacks.
|
||||
Passwords should be stored in a form that is resistant to offline attacks.
|
||||
- *use salts* +
|
||||
Passwords should be salted before storing them.
|
||||
The salt shall have at least 32 bits in length and should be chosen arbitrarily so as to minimize salt value collisions among stored hashes.
|
||||
Passwords should be salted before storing them.
|
||||
The salt shall have at least 32 bits in length and should be chosen arbitrarily to minimize salt value collisions among stored hashes.
|
||||
- *use hashing* +
|
||||
Before storing a password it should be hashed with a one way key derivation function.
|
||||
The function takes the password, the salt and a cost factor as inputs and then generates a password hash. +
|
||||
Examples of suitable key derivation functions:
|
||||
* Password-based Key Derivation Function 2 (https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-132[PBKDF2]) (as large as possible => at least 10.000 iterations)
|
||||
* https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-132[BALLOON]
|
||||
* The key derivation function shall use an approved one-way function such as:
|
||||
** Keyed Hash Message Authentication Code (https://pages.nist.gov/800-63-3/sp800-63b.html#FIPS198-1[HMAC])
|
||||
** any approved hash function in https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-107[SP 800-107]
|
||||
** Secure Hash Algorithm 3 (https://pages.nist.gov/800-63-3/sp800-63b.html#FIPS202[SHA-3])
|
||||
** https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-38B[CMAC]
|
||||
** Keccak Message Authentication Code (KMAC)
|
||||
** Customizable SHAKE (cSHAKE)
|
||||
** https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-185[ParallelHash]
|
||||
Before storing a password, it should be hashed with a one-way key derivation function.
|
||||
The function inputs the password, salt, and cost factor and then generates a password hash. +
|
||||
Examples of suitable key derivation functions:
|
||||
* Password-based Key Derivation Function 2 (https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-132[PBKDF2]) (as large as possible => at least 10.000 iterations)
|
||||
* https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-132[BALLOON]
|
||||
* The key derivation function shall use an approved one-way function such as:
|
||||
** Keyed Hash Message Authentication Code (https://pages.nist.gov/800-63-3/sp800-63b.html#FIPS198-1[HMAC])
|
||||
** any approved hash function in https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-107[SP 800-107]
|
||||
** Secure Hash Algorithm 3 (https://pages.nist.gov/800-63-3/sp800-63b.html#FIPS202[SHA-3])
|
||||
** https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-38B[CMAC]
|
||||
** Keccak Message Authentication Code (KMAC)
|
||||
** Customizable SHAKE (cSHAKE)
|
||||
** https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-185[ParallelHash]
|
||||
- *memory hard key derivation function* +
|
||||
Use memory hard key derivation functions to further increase the needed cost to perform attacks.
|
||||
Use memory-hard key derivation functions to increase the needed cost further to perform attacks.
|
||||
- *high cost factor* +
|
||||
The cost factor (iteration count) of the key derivation function should be as large as verification server performance will allow. (at least 10.000 iterations)
|
||||
The key derivation function's cost factor (iteration count) should be as large as verification server performance will allow. (at least 10.000 iterations)
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
== How long could it take to brute force your password?
|
||||
=== How long could it take to brute force your password?
|
||||
|
||||
In this assignment you have to type in a password which is strong enough (at least 4/4).
|
||||
In this assignment, you have to type in a password that is strong enough (at least 4/4).
|
||||
|
||||
After you finished this assignment we highly recommend you to try some of the passwords below to see why they are no good choices:
|
||||
After you finish this assignment we highly recommend you try some passwords below to see why they are not good choices:
|
||||
|
||||
* password
|
||||
* johnsmith
|
||||
|
||||
@ -1,8 +1,7 @@
|
||||
== Secure Passwords
|
||||
In this lesson the user will learn about how to create strong passwords and how to store them in a secure way.
|
||||
We will take a look at most important recommendations made by the NIST password standard.
|
||||
In this lesson, the user will learn how to create strong passwords and securely store them.
|
||||
We will take a look at the most important recommendations made by the NIST password standard.
|
||||
|
||||
Goals:
|
||||
|
||||
- The user knows how a strong password should look like and what specifications it should fulfill
|
||||
- The user has a basic overview of what to pay attention to when developing an application that stores passwords
|
||||
- The user has a basic overview of what to pay attention to when developing an application that stores passwords
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user