113 lines
4.6 KiB
Markdown
113 lines
4.6 KiB
Markdown
# Password & Authenticator Guidance (System-Agnostic)
|
|
|
|
**Document owner:** [Owner/Role]
|
|
**Approved by:** [Steering Committee / CISO]
|
|
**Effective date:** [YYYY-MM-DD]
|
|
**Review cadence:** [Annually]
|
|
|
|
---
|
|
|
|
## 1) Purpose & Scope
|
|
This document provides **implementation guidance and hardening requirements** for enforcing the Password & Authenticator Policy across all systems, applications, and identity platforms in [Organization].
|
|
It applies to IT, IAM administrators, and system owners.
|
|
|
|
---
|
|
|
|
## 2) Policy Implementation Guidance
|
|
|
|
### 2.1 Password Length & Creation
|
|
- Configure all systems to **enforce minimum lengths**:
|
|
- **15 characters** for single-factor authentication.
|
|
- **8 characters** for MFA-protected logins.
|
|
- Ensure systems support passwords up to **64 characters** with spaces, ASCII, and Unicode.
|
|
- Do not enforce composition rules; instead rely on **length + blocklist screening**.
|
|
|
|
### 2.2 Blocklist Screening
|
|
- Implement password screening against:
|
|
- **Commonly used passwords** (e.g., “Password123”).
|
|
- **Breach corpuses** (public leak data).
|
|
- **Organization-specific terms** (company name, product names).
|
|
- Update blocklists at least **quarterly**.
|
|
|
|
### 2.3 Expiration & Rotation
|
|
- Disable periodic password expiration for human accounts.
|
|
- Enable **risk/event-driven rotation** when compromise is suspected.
|
|
- For **service accounts**, enforce **automated rotation** in a secret manager.
|
|
|
|
### 2.4 Usability & User Experience
|
|
- Enable **copy/paste** to support password managers.
|
|
- Provide an optional **“show password”** control on login.
|
|
- Prohibit **password hints** and **security questions**.
|
|
|
|
### 2.5 Multi-Factor Authentication (MFA)
|
|
- Require MFA for:
|
|
- All external-facing logins.
|
|
- Administrative access.
|
|
- Remote access (VPN, SSH, RDP, portals).
|
|
- Systems handling **sensitive or regulated data**.
|
|
- Prefer **phishing-resistant MFA** (FIDO2, WebAuthn, authenticator apps).
|
|
- Allow **SMS/voice** only as fallback.
|
|
|
|
### 2.6 Account Lockout & Rate Limiting
|
|
- Enforce **rate-limiting** on failed login attempts.
|
|
- Apply **escalating timeouts** (e.g., 30s → 1min → 5min).
|
|
- Avoid permanent lockouts to reduce denial-of-service risk.
|
|
|
|
### 2.7 Password Storage & Transmission
|
|
- Transmit all credentials only over **encrypted channels** (TLS 1.2+).
|
|
- Store passwords using:
|
|
- **Argon2id (preferred)**, or
|
|
- **bcrypt** / **PBKDF2** with high work factor.
|
|
- Use **unique salts** (≥32 bits) per credential.
|
|
- Consider adding a server-side **“pepper”** stored securely (HSM/TEE).
|
|
|
|
### 2.8 Resets & Recovery
|
|
- Require MFA for password resets.
|
|
- Prohibit knowledge-based authentication (KBA/security questions).
|
|
- Revoke all active sessions and tokens after a reset due to compromise.
|
|
|
|
### 2.9 Administrative & Privileged Accounts
|
|
- Enforce **separate admin accounts** for elevated tasks.
|
|
- Protect all privileged accounts with **MFA**.
|
|
- Provision administrative access **just-in-time** or **time-bound**.
|
|
- Prohibit shared admin credentials; vault and monitor any break-glass accounts.
|
|
|
|
### 2.10 Service & Machine Accounts
|
|
- Prefer **key-based**, **certificate-based**, or **federated identities** over passwords.
|
|
- If passwords are required:
|
|
- **≥30 characters**, randomly generated.
|
|
- Stored only in **approved secret managers**.
|
|
- Automatically rotated and logged.
|
|
- Prohibit interactive login with service accounts.
|
|
|
|
### 2.11 Dormant Accounts
|
|
- Disable accounts after **45 days of inactivity**.
|
|
- Conduct **quarterly account reviews** for all user and service accounts.
|
|
|
|
### 2.12 Application Integration
|
|
Applications authenticating users **must**:
|
|
- Support policy requirements for **length**, **blocklist checks**, and **no composition rules**.
|
|
- Allow **paste/autofill**.
|
|
- Not truncate credentials.
|
|
- Store credentials with modern password hashing.
|
|
|
|
---
|
|
|
|
## 3) Hardening Checklist
|
|
✅ Enforce MFA on all sensitive and external-facing systems.
|
|
✅ Implement blocklist screening for weak/compromised passwords.
|
|
✅ Remove periodic password expiration policies for human users.
|
|
✅ Store passwords only with Argon2id/bcrypt/PBKDF2.
|
|
✅ Rate-limit login attempts with escalating delays.
|
|
✅ Disable accounts inactive for ≥45 days.
|
|
✅ Require password manager compatibility (paste/show-password).
|
|
✅ Review and disable legacy authentication protocols (e.g., plain text FTP/POP/IMAP, NTLMv1).
|
|
✅ Audit password changes, resets, and lockout events.
|
|
|
|
---
|
|
|
|
## 4) References
|
|
- **NIST SP 800-63B, Digital Identity Guidelines (2023 update)**
|
|
- **CIS Controls v8.1 (Controls 5 & 6)**
|
|
- **OWASP Authentication Cheat Sheet**
|