This document describes and justifies password management best practices as applied in medium to large organizations. It offers reasoned guidance to IT decision makers when they set security policy and design network infrastructure that includes passwords.
The guidance in this document is focused on how to best manage user passwords. It is not intended to address the special challenges and techniques that arise when managing privileged passwords, used to sign into administrator, service and embedded accounts.
Look for the marks throughout this document to find best practices.
The remainder of this document is organized as follows:
- Why do we still use passwords? -- explaining why
passwords are unlikely to be entirely replaced in the near future.
- User authentication and passwords:
Background information including terminology and an overview of
both passwords and other types of credentials.
- Security threats
An overview of how password security can be compromised.
- The human element
A reminder that human behaviour has to be considered when designing the security of any system, including one for managing passwords.
- Composing hard-to-guess passwords
How to estimate password strength and guidance for composing hard-to-compromise passwords.
- Unicode and other non-Latin passwords
Password composition for users whose first language is not English, and who may normally use multi-byte text input.
- Changing and reusing passwords
Guidance regarding when to change passwords and whether to allow users to choose the same password twice.
- Keeping passwords secret
A reminder that passwords are supposed to be secret, and how to help users keep them that way.
- Intruder detection and lockout
The role that intruder lockouts have in ensuring password security, and guidelines for a balance between keeping out attackers and not bothering legitimate users.
- Encrypting passwords in storage and transit
The need to encrypt passwords, in motion and at rest.
- Synchronizing passwords
The pros and cons of using the same password value on multiple systems and applications.
- Single sign-on
The pros and cons of replacing multiple login prompts with a single, shared login process.
- IT support for forgotten and locked out passwords
How to assist users who forgot or locked out their password.
- Mobile devices: challenges and opportunity
Enabling access to the password management system from user phones, dealing with passwords cached by various apps on user devices and leveraging phones to resolve login problems and to increase the strength of authentication processes.
Why do we still use passwords?
The end of passwords has been predicted for decades. Biometrics, smart cards, one time password tokens and more have been offered up as alternatives and many of these are gaining market share.
In reality, passwords are likely to remain popular for a long time:
- Passwords are cheaper to deploy than any alternative, though supporting passwords (forgotten, locked out) can be costly.
- Some types of credentials can only be used on compatible devices
and in certain circumstances:
- Smart cards plug into card readers, which are mainly made for PCs (desktops and laptops) -- rarely for tablets or smart phones.
- One time password tokens only work where there is a network connection -- this makes them unsuitable for signing into devices which are sometimes off-line.
- Every kind of biometric requires a sensor -- finger print reader, retina scanner, camera, microphone, etc. Not every device a user might want to sign into has the requisite sensors.
- For every biometric, there are some users who physically cannot enroll -- amputees, people whose fingers are too small, people with retinal or iris damage, etc.
- In many cases, credentials other than passwords are combined with passwords to create stronger authentication. For example, tokens and smart cards are commonly combined with PINs (just numeric passwords).
- Many solutions marketed as replacements for passwords really just externalize the login process out of an application, to a shared infrastructure, which in all likelihood does use a password. This is true of Kerberos, LDAP authentication, federation with OAuth and SAML, etc.
- Many legacy applications are simply incompatible with any other credentials -- user logins are with an ID and password and nothing else.
Only when most applications can externalize their login process will organizations be able to seriously contemplate the end of passwords.