cqrenet/policies
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4554305f3a51ae0213d56bea2e52aaeab72d7749
policies/Security/password_guidance_generic.md
Tomas Kracmar 4554305f3a First batch
2025-09-30 11:30:46 +02:00

4.6 KiB
Raw Blame History

Password & Authenticator Guidance (System-Agnostic)

Document owner: [Owner/Role]
Approved by: [Steering Committee / CISO]
Effective date: [YYYY-MM-DD]
Review cadence: [Annually]

1) Purpose & Scope

This document provides implementation guidance and hardening requirements for enforcing the Password & Authenticator Policy across all systems, applications, and identity platforms in [Organization].
It applies to IT, IAM administrators, and system owners.

2) Policy Implementation Guidance

2.1 Password Length & Creation

  • Configure all systems to enforce minimum lengths:
    • 15 characters for single-factor authentication.
    • 8 characters for MFA-protected logins.
  • Ensure systems support passwords up to 64 characters with spaces, ASCII, and Unicode.
  • Do not enforce composition rules; instead rely on length + blocklist screening.

2.2 Blocklist Screening

  • Implement password screening against:
    • Commonly used passwords (e.g., “Password123”).
    • Breach corpuses (public leak data).
    • Organization-specific terms (company name, product names).
  • Update blocklists at least quarterly.

2.3 Expiration & Rotation

  • Disable periodic password expiration for human accounts.
  • Enable risk/event-driven rotation when compromise is suspected.
  • For service accounts, enforce automated rotation in a secret manager.

2.4 Usability & User Experience

  • Enable copy/paste to support password managers.
  • Provide an optional “show password” control on login.
  • Prohibit password hints and security questions.

2.5 Multi-Factor Authentication (MFA)

  • Require MFA for:
    • All external-facing logins.
    • Administrative access.
    • Remote access (VPN, SSH, RDP, portals).
    • Systems handling sensitive or regulated data.
  • Prefer phishing-resistant MFA (FIDO2, WebAuthn, authenticator apps).
  • Allow SMS/voice only as fallback.

2.6 Account Lockout & Rate Limiting

  • Enforce rate-limiting on failed login attempts.
  • Apply escalating timeouts (e.g., 30s → 1min → 5min).
  • Avoid permanent lockouts to reduce denial-of-service risk.

2.7 Password Storage & Transmission

  • Transmit all credentials only over encrypted channels (TLS 1.2+).
  • Store passwords using:
    • Argon2id (preferred), or
    • bcrypt / PBKDF2 with high work factor.
  • Use unique salts (≥32 bits) per credential.
  • Consider adding a server-side “pepper” stored securely (HSM/TEE).

2.8 Resets & Recovery

  • Require MFA for password resets.
  • Prohibit knowledge-based authentication (KBA/security questions).
  • Revoke all active sessions and tokens after a reset due to compromise.

2.9 Administrative & Privileged Accounts

  • Enforce separate admin accounts for elevated tasks.
  • Protect all privileged accounts with MFA.
  • Provision administrative access just-in-time or time-bound.
  • Prohibit shared admin credentials; vault and monitor any break-glass accounts.

2.10 Service & Machine Accounts

  • Prefer key-based, certificate-based, or federated identities over passwords.
  • If passwords are required:
    • ≥30 characters, randomly generated.
    • Stored only in approved secret managers.
    • Automatically rotated and logged.
  • Prohibit interactive login with service accounts.

2.11 Dormant Accounts

  • Disable accounts after 45 days of inactivity.
  • Conduct quarterly account reviews for all user and service accounts.

2.12 Application Integration

Applications authenticating users must:

  • Support policy requirements for length, blocklist checks, and no composition rules.
  • Allow paste/autofill.
  • Not truncate credentials.
  • Store credentials with modern password hashing.

3) Hardening Checklist

Enforce MFA on all sensitive and external-facing systems.
Implement blocklist screening for weak/compromised passwords.
Remove periodic password expiration policies for human users.
Store passwords only with Argon2id/bcrypt/PBKDF2.
Rate-limit login attempts with escalating delays.
Disable accounts inactive for ≥45 days.
Require password manager compatibility (paste/show-password).
Review and disable legacy authentication protocols (e.g., plain text FTP/POP/IMAP, NTLMv1).
Audit password changes, resets, and lockout events.

4) References

  • NIST SP 800-63B, Digital Identity Guidelines (2023 update)
  • CIS Controls v8.1 (Controls 5 & 6)
  • OWASP Authentication Cheat Sheet