guide password security · dictionary, rainbow table and brute force in a so-called dictionary...

Guide

Password security Password guide for IT users, developers, system administrators, and senior

management.

2

Table of contents

Introduction ....................................................................................................... 3

Overall recommendations .................................................................................... 4

Hacker approaches ............................................................................................. 5

Password challenges ........................................................................................... 7

Tip #1 – What is a strong password? .................................................................... 9

Tip #2 – Multifactor authentication ..................................................................... 12

Tip #3 – How to deal with password overload ...................................................... 13

Tip #4 - Awareness and training ......................................................................... 17

Tip #5 - Changing all default passwords .............................................................. 18

Tip #6 - Focus on administrator, service and remote user accounts ........................ 19

Tip #7 – Account lockout and login monitoring ..................................................... 20

Tip #8 – Secure handling of passwords in systems ............................................... 22

Tip #9 - Organizational password policy .............................................................. 24

References....................................................................................................... 25

Appendix ......................................................................................................... 26

Kastellet 30

2100 København Ø

Telefon: + 45 3332 5580

E-mail: [email protected]

Based on Danish version: 1st edition, August 2016. Revised edition, February 2020.

Front page illustration: LuisPortugal/Getty Images.

3

Introduction

Access to usernames and passwords is a coveted gateway for hackers into, in

particular, public and private companies’ sensitive information. Passwords are often

easy to obtain or crack, making them an extremely effective point of entry to gain

access to information.

Passwords remain one of the best ways to protect sensitive and confidential

information and prevent unauthorized access. Most password guides recommend the

use of different passwords for different accounts, just as they advise the use of longer

and more complex passwords to make it harder for hackers to break them.

Many IT users struggle to come up with new passwords that fulfil the password criteria

in terms of uniqueness, length and complexity. As a result, storing passwords in places

that allow them to be easily accessed may be a tempting option. However, not all

storage techniques are safe, increasing the risk of passwords falling into the wrong

hands. In other words, in an effort to improve security, the exact opposite may occur.

This guide describes some of the most popular hacking techniques and some of the

risks of password use, providing a number of password security tips to suit the risk

profiles and specific security needs of organizations.

This guide is directed at:

IT users and is intended to serve as inspiration for new ways to address

password and password protection issues. Tips 1-3 provide examples of strong

passwords.

The management level responsible for defining specific password policy best

practices. For further information, please read Tips 1-4.

The IT operations/supplier level where it may be relevant to prepare

procedures based on the organization’s specific needs rather than on general

best practices. In many cases, the IT operations department will be the right

partner to include in decisions on acquisitions of the proper technology to

support the organization’s special needs in terms of composition, use and

protection of passwords. For further information, please read Tips 5-8.

IT developers/system administrators responsible for ensuring that user

interaction with passwords – as well as communication and storage of passwords

– is performed in a way that protects their confidentiality and integrity. For

further information, please read Tips 6-8.

Senior management responsible for maintaining focus on information security

within the organization, including defining the IT security framework. The senior

management is responsible for securing the resources necessary to achieve the

desired security level. For further information, please read Tips 4 and 9.

4

Overall recommendations

The following pages detail the issues concerning password selection and use, and

provide recommendations on how to address them. The recommendations and

principles listed below are general, not exhaustive, and in some cases additional or

alternative measures may be required.

Choice of passwords:

Choose a password strength that is appropriate for the asset the password

protects.

Remember that password length is more important than password complexity.

Do not recycle passwords.

Use a password manager to help remember the many unique passwords.

Supplement the password with multifactor authentication where possible.

Password policies:

Do not set fixed complexity requirements for passwords but offer advice on

how to choose safe passwords.

Assess whether mandatory password changes improve or decrease the level of

security.

Use single sign-on to expedite user access to the organization’s systems.

Implement multifactor authentication where possible, and as a minimum for all

remote access solutions and privileged accounts.

Do not recycle frequently used or leaked passwords.

Support best practices for safe handling of passwords through regular

awareness activities.

5

Hacker approaches

Access to IT systems is often governed by usernames and passwords, making them

valuable to hackers as tools of entry. Hackers target attacks by, for instance,

exploiting their knowledge of users and their passwords. This knowledge may be

transferred to a number of tools that help hackers to “guess” or read passwords, for

instance through installation of a key logger that registers all keyboard activity.

Described below are some of the techniques used by hackers to obtain or crack

passwords.

Social engineering

Social engineering is a widely

popular technique used to gain

access to passwords. In social

engineering, the hacker tries to

lure the password from the

user, for instance by sending an

email posing as someone whom

the user knows and trusts.

Typically, the hacker will send

an email to the intended target,

asking them to reply to the

email, thereby disclosing

information that the hacker can

subsequently use to launch an

attack.

Another technique involves sending an email that looks trustworthy, but which

contains an embedded link to a false website or an attached file containing malicious

code (malware). If the recipient clicks on the link or opens the attached file, malicious

code may be installed or activated on their computer, allowing the hacker access to

the username or password, or to internal IT systems containing sensitive business

information.

Password reuse

Many users often recycle passwords – at work as well as at home. Password reuse

carries a high risk that the hacker may gain access to more than one system when a

password is leaked or otherwise compromised.

It is particularly critical when the same password is indiscriminately used for access to

systems with low security as well as to systems with high security demands.

Dictionary, rainbow table and brute force

In a so-called dictionary attack, the hacker deploys a list of potential, often commonly

used, passwords. The attack is an attempt to guess passwords by systematically trying

combinations and variations of common words.

Spear phishing

Spear phishing is similar to regular phishing

but differs in the sense that it is targeted

towards a specific recipient and uses social

engineering techniques. Spear phishing

attempts are often directed at specific

individuals, and the emails are typically

customized to appear particularly relevant,

convincing and credible to the recipient by

using the person’s name, information related

specifically to the recipient, or relevant files

harvested by the hacker in a previous

reconnaissance phase.

6

Using a list containing a wide number of different words increases the likelihood of

finding the right password. However, from the hacker’s perspective, the problem with

this technique is that many IT systems have features that block multiple password

attempts.

A rainbow table is a password cracking tool that can be used to find out what plaintext

password produces a particular hash. The technique is similar to the dictionary and

brute force attack techniques but differs in the sense that the attack is performed by

looking into pre-computed rainbow tables and a number of hash calculations. This

technique reduces the amount of data in the rainbow table as opposed to a simple

lookup table with one entry per hash. The reason they are called rainbow tables is that

each column uses a different reduction function.

If a hacker knows the

hash value of a

password1, it can be used

to facilitate brute force

attacks (further

information on hashing of

passwords can be found

in Tip #8 in the

appendix). In a brute

force attack, the hacker

tries different

combinations of

characters, making this

type of attack far more

time-consuming than a

dictionary attack. But while an attack based on a dictionary does not necessarily reveal

passwords that are not featured on the list, a brute force attack will eventually come

up with the correct password. Long passwords will increase the amount of time needed

by attackers – even attackers with access to significant computational power – to

brute force the password.

Default passwords

If default passwords, i.e. the passwords that are assigned to hardware and software by

the manufacturer, are used for Internet-connected devices, this will allow hackers easy

access to an organization’s networks and systems. If hackers know which specific

hardware and software is used in an organization, they can go online to find the

supplier’s default logins, which they can then use to gain access to the organization’s

networks and systems.

1 The hash value of a password may have been intercepted on the network or found in the cache on systems

the user has logged onto.

Password spray attacks

A hacker may attack a system by entering popular

passwords across all accounts of a particular

system. In a large organization with hundreds of

users, chances are high that the hacker will

eventually guess one or more passwords. This

technique is called password spraying. As

organizations often have an account lockout policy,

the hacker is careful to only try a few commonly

used passwords against many accounts to avoid

account lockouts.

7

Password challenges

New passwords typically require a minimum number of characters, and a mix of lower-

and uppercase letters, numeric digits and special characters. In addition, the password

must be changed at regular intervals. Users may thus be hard pushed to come up with

new passwords, making it tempting to store passwords in insecure ways, or to reuse

passwords. Though such practice works against the intent of an organization’s

password policies, it is nevertheless common among users – a fact that has not

escaped the attention of hackers.

Common password practice

When creating new passwords, many IT users will choose to cut corners and pick the

easiest possible password that fulfils the security requirements. For example:

If the minimum password length is set to a value of 8 characters, users will

often not choose a password that exceeds 8 characters.

If the password must contain upper-case letters, a commonly seen pattern is

to let first character of the password be an uppercase letter.

If the password must contain numbers, users will often choose to put the

numbers at the end of the password. Digits between 0-99 or digits

representing a year also feature quite frequently. Using numbers that look like

letters is also common practice, for instance the ”e” becomes ”3”, and ”o”

becomes ”0”, etc.

If special characters are a requirement, it is often fulfilled by using only one

special character. Some characters seem more popular than others. ”@” and

”!” are some of the more popular characters.

If the password must be changed at regular intervals, many users choose

cyclical words in the form of words for seasons, quarters, months, etc.

Some words or numbers are very popular and feature in many passwords.

”123456” is among the most commonly used passwords, as are the word

”password” and letters that are typed in succession such as ”qwerty”.

The password is the same as the username or part of it.

The password contains names of family members, friends, pets, etc.

In connection with periodic password expiry, a new one is generated that is almost

identical to the old one.

Password strength

Even though an organization has multiple password requirements, leading to the

assumption that the passwords are strong, they may still fall short. If the requirement

for a secure password is twelve characters and a mix of upper- and lowercase letters,

numeric digits and special characters, a compliant password may look as follows:

Password2019!

8

Commonly used passwords

Like in the example above, in which the password is not considered secure despite

meeting the formal security requirements, many users inadvertently choose non-

unique passwords, making it easier for a hacker to guess them. Lists of the most

common passwords are readily available online and may be used against a single

username or against numerous usernames in a password spraying attack.

The most commonly used passwords in the English-speaking part of the world.

Use of leaked passwords

When usernames and passwords are leaked online, for example from a compromised

website, they are often quickly added to the hackers’ arsenal and included on a list of

passwords worth trying. The https://haveibeenpwned.com website allows users to

check whether their accounts, or other accounts from their domain, have been

compromised in a data breach.

9

Tip #1 – What is a strong password?

It is difficult to provide specific advice on which passwords are suitable for every

situation or suited to mitigate every security threat. It is thus important that a risk

assessment is used as the basis for finding a mix of protective measures that offer a

suitable balance between security and practicability based on the asset the password

protects.

If single sign-on is used to grant access to multiple systems, the security requirements

should be based on the most critical of the systems. Internet-facing systems are often

more vulnerable than internal systems.

Even though password complexity – a combination of lower- and uppercase letters,

numeric digits and special characters – reduces the risk of a successful brute force

attack, the length of a password is an even more important security feature. As the

requirement for complexity may result in predictable passwords, stricter requirements

for password length should be considered instead, along with other security measures.

For further information, please read Tip #7 on security measures to reduce the risk of

brute force attacks.

Multifactor authentication is one of the most effective supplementary security

measures. For further information on multifactor authentication, please read Tip #2.

Alternatively, if allowed by the organization’s authentication platform, avoiding

passwords altogether may be a solution. For further information, please read the

section on ”Password-free access”.

Keep in mind that no system is 100 per cent secure, regardless of how many security

measures are implemented.

Passwords and passphrases

There is a plethora of advice on how to create passwords. Irrespective of the method

chosen, it is essential that it is not shared with others. It is also important to choose a

medium-length password, ideally a 12-charater minimum, if multifactor authentication

is not in place:

Password examples:

Use the first letter of every word in a sentence:

Idmrmbtwii-ros = I don’t mind riding my bike to work if it doesn’t rain or

snow

(Here the word “doesn’t” has been replaced by the sign ”-”)

Another method could be to choose a song title and combine it with the name

of the artist and signs/numbers:

AbbeyRoad1969TheBeatles

10

Another approach could be to construct a passphrase that consists of random words

that are easy to remember and that add some length to the password. If the user

chooses a combination of common words, it is important to increase the length to a

minimum of 20 characters.

The examples of passwords and passphrases mentioned here should naturally be

avoided as they are publicly available in this guide.

If a password manager is used (see Tip #3), rendering it unnecessary for a user to

remember all their unique passwords, it may still be advisable to use very complex

and long passwords. Such passwords can often be generated by the password

manager.

Password-free access

Efforts have been made in international forums to find an alternative to passwords as

this would eliminate the problem of passwords being difficult to remember, easy to

guess, frequently recycled, and found in data leaks.

The passing of the FIDO22 standard has facilitated easy and secure access to websites

and operating systems by using a public/private security key instead of passwords.

Authentication based on FIDO2 not only solves many of the problems connected with

the conventional use of passwords, it is also easy for the user to manage.

Password-free access to, for instance, an online service requires registration of the

account and generation of a unique public/private security key pair. First, the user

must choose an authenticator that is acceptable to the service provider such as a

mobile phone or a USB hardware key. The user opens the chosen authenticator by

using fingerprints, a hardware key or a PIN code, after which a unique key pair is

generated. This key pair is tied to the authenticator, the user’s account and the

provider. The public key is sent to the provider and stored for later user validation.

When the user accesses the services of the provider and enters their username, the

provider sends a large and arbitrary number – a so-called ”nonce” – to the user’s unit.

All the user has to do then is to unlock the authenticator, just like they did during the

registration phase, for example by using fingerprints. The unit then locates the

relevant key, encrypts the number with the key, and sends the result back to the

provider. The provider validates the number received by using the public key stored

for the user, confirming that the user has access to their private key. If the validation

is successful, the user is granted access to the services.

2 For more information on FIDO2, please visit: https://fidoalliance.org/fido2/

Passphrase examples:

A combination of words inspired by a room at home:

PotsRecipeKnifeCupboardFood

A combination of words inspired by latest travel:

CafeMuseumPoolSunshineHoliday

11

During the FIDO2-based authentication process, no passwords are sent over the

Internet, just as no passwords or other sensitive information are stored at the provider

of the services accessed. The numerous risks associated with the classic use of

passwords are thus avoided, while it remains easy for the user to access the service.

12

Tip #2 – Multifactor authentication

Today, numerous systems offer multifactor authentication, which is one of the most

effective security measures to increase login security in connection with access to

sensitive information in IT systems. If multifactor authentication is applied, the

demand for password strength may be reduced – both in terms of length and

complexity.

Multifactor authentication

Multifactor authentication is an authentication method in which a user is granted

access after entering their username along with two or three of the following

authentication factors:

Something the user knows (PIN or password),

Something the user has (ID card, key card or USB keys) or

Personal features of the user (facial recognition or fingerprints), also

known as biometric characteristics.

Most often two-factor authentication in which something the user knows is

combined with something the user either has or is.

Multifactor authentication is already widely used, often in connection with remote

access or online banking services. As multifactor authentication offers very strong

login security, it is advised to introduce it wherever possible, and as a minimum on

systems that require a high level of security. If, for instance, an account can be used

to reset forgotten passwords to other accounts, it should be protected by multifactor

authentication.

There are several different multifactor authentication methods, including single-use

codes sent by SMS, mobile applications generating single-use codes or asking for

confirmation during login attempts, biometric measures such as fingerprints or facial

recognition, and special USB keys – which can also be used for password-free access.

Multifactor authentication based on codes sent via SMS is considered less secure than

other methods, but any multifactor authentication method is better than relying

exclusively on passwords.

The method best suited for the individual organization or purpose depends on factors

such as security requirements and administration and technology resources.

The Centre for Cyber Security recommends that

Multifactor authentication is used wherever possible

Multifactor authentication is always used when accounts

provide access to critical systems or functions

Multifactor authentication is always used in connection with

remote access to internal systems.

13

Tip #3 – How to deal with password

overload

To alleviate users from having to manage too many and overly complex passwords, it

is important to pinpoint the areas where passwords are required and to decide on their

length and complexity. It would be relevant to consider keeping systems or services

that do not require high levels of security password free, or at least setting low

password security requirements in terms of length and/or complexity.

Single sign-on

Single sign-on helps reduce the burden on IT users. Single sign-on is standard practice

in most organizations, affording simultaneous access to more IT systems with a single

logon. However, if the password is compromised, hackers may gain access to all the

user’s systems, making security a key priority also when using single sign-on systems.

The security and privacy concerns of logging in to a website or service using Microsoft,

Google, Facebook, or other 3rd party accounts are not covered by this guide.

Password managers

A physical book containing passwords that is kept in a secure location is hard to

compromise for a hacker, but less practical in day-to-day use. Alternatively, a

password manager can be used to remember passwords. The advantage of password

managers is that they allow users to use unique, long and complex passwords for all

online accounts without having to remember every single password. Password

managers are locked by a single master password that is required to access the stored

passwords. The master password obviously has to be very strong, as hacker access to

the master password would facilitate access to all the stored passwords.

Types of password managers:

Browser-built-in password

managers

Browser-integrated

password managers

Independent password

managers

Browser-built-in password managers are used in the most popular browsers to store

passwords to visited websites, and they enable password synchronization across

devices via the manufacturer’s associated cloud services. While this solution is easy to

use, it most often only supports passwords for websites, offering only limited

functionality and encryption options. Even though the stored passwords are encrypted,

Password manager

A password manager is a software

application used to store a user’s

collection of unique and strong

passwords in a secure way. Access to

stored passwords is protected by a

master password.

14

they are only as safe as the level of security on the device from which they are

accessed. This solution is not suitable for critical passwords.

Browser-integrated password managers are installed as plug-ins in the most popular

browsers. Their functionality is somewhat extended compared to the browser-built-in

password managers, and they can often help generate secure passwords; they can

assist in online searches to determine whether the password has previously been

leaked online; and they can be used to check whether passwords are frequently used

and thus not recommended. Passwords are stored in encrypted form at the service

provider and are synchronized across devices through their cloud service.

Independent password managers are generally not integrated with the browser and

thus have a reduced attack surface. Website logins require activation of the password

manager by pressing a hotkey or by using the copy/paste function. Independent

password managers often have the same or superior functionality as the browser-

integrated password managers, and the user can freely choose where to store their

encrypted password database. While some password managers have built-in support

for the larger cloud file sharing services, an alternative option is to store the database

locally or with another cloud service provider.

If the encrypted password database is stored by the service provider of the password

manager or at an alternative cloud service provider, synchronization is easy across

computers and mobile devices, enabling on-the-spot access to passwords. Still, it is

important not to rely exclusively on a single copy of the database stored at a single

provider, as this will prove problematic if the service shuts down, experiences a critical

outage, or suffers an irreparable loss of data. The ability to backup or export

passwords are important considerations when choosing a password manager.

Given the sensitive nature of the information stored, well-established and tested

password manager solutions should be considered to reduce the risk of compromise.

Also, updating the chosen password manager solution regularly is important to apply

security fixes which remedy any identified password manager vulnerabilities.

Regardless of the platform, it is important that the master password, used for

unlocking access to the encrypted passwords, is very strong. It is advisable to

supplement the master password with another factor such as a USB key and/or

biometric access control.

Organizations with integrated single sign-on systems and few passwords usually have

no need for password managers. Still, due to their function, some departments within

an organization may have a special need for storage of multiple passwords such as

departments dealing with IT operations or communications. Larger organizations that

need to manage many privileged accounts may benefit from using a specialised

system for secure delegation of password access, systematic change of passwords for

critical service accounts, and with strong auditing capabilities.

The few passwords that are necessary for re-establishment of access after major

critical operational incidents should be stored in physical form in a secure location so

that access to the passwords does not depend on all systems being operational.

15


password managers be used when storage of multiple

unique passwords is required

the choice of solution be based on the assets protected

by the passwords, and on the organization’s risk

assessment.

Machine-generated passwords

Machine-generated passwords can help improve security as these randomly generated

passwords are less predictable than user-generated passwords and difficult to break,

though their complexity may make it harder for the user to remember them. If a

password manager is not used, the system should give users a choice of passwords,

allowing them to select the one they find most memorable. Machine-generated

passwords may comprise of four randomly chosen words, or the user can choose from

a pool of different passwords, whichever is easier to remember. If a password

manager is used, machine-generated passwords may be long and complex as the user

need not remember them by heart.

Change of passwords

Even though mandated password change has been a long-standing recommendation, it

is no longer considered best practice. The motivation behind changing passwords say

every three months was to limit the time available for a hacker to compromise and

abuse a password. However, a frequent change of passwords has the undesired effect

that many users choose weaker passwords that are easier to remember, or use a fixed

approach when changing their password, including basing the password on the name

or number of the current month, season, etc., which is easy to guess for a hacker.

If an organization has adopted security measures that reduce the risk of password

compromise, it may, based on its risk assessment, choose not to require regular

password changes. Such security measures should include:

Awareness training of users in how to manage and choose secure passwords

Policies supported by technical controls to ensure relevant password length

(and possibly complexity)

Controls which ensure that frequently used or already leaked passwords are

not chosen

Limitations as to the number of possible login attempts or throttling (see Tip

#7)

In case of suspected or verified compromise of one or more passwords, forced

password change should always be initiated.

16


the organization consider which technical solutions can

support good password practices by its users

a risk assessment be used to determine whether to

enforce password changes at regular intervals.

17

Tip #4 - Awareness and training

It is key that the organization’s IT users understand the password policy and observe

the rules regarding use and composition of passwords regardless of strength. In

addition, IT users must be aware of common hacker attack techniques. IT users must

know what warning signs to look for and how to respond if they are contacted by, for

example, individuals posing as IT colleagues who ask to test or reset a password, or if

they receive unexpected or odd-looking emails.

It is up to the management to maintain focus on the organization’s security culture

and the IT users’ behaviour and, by extension, to inform of any new attack techniques.

Awareness training is advised, including how to choose strong passwords and how to

adopt sound general security practices, just as follow-ups should be made to ensure

that requirements and expectations are met.


management plans and implements the necessary

awareness training of personnel on the password policy

of the organization.

18

Tip #5 - Changing all default

passwords

IT equipment and software often comes with default system accounts and passwords

set by the manufacturer. Hackers are well aware of this, and default passwords must

thus always be changed before the equipment and software is deployed.

Default passwords may act as an entry point for hackers to access an organization’s IT

systems and thus its business-critical information. Default passwords and usernames

are easy to look up online, and if they have not been changed, it will in many cases be

very easy for hackers to gain access.

It is especially important to change the default passwords to critical components and

equipment in the organization’s IT infrastructure such as passwords to routers,

printers, log servers and firewalls.

It is imperative to check regularly for default passwords on hardware and software, in

order to ensure that all default passwords have been changed.


default passwords be changed as a standard procedure

when equipment and software is deployed.

19

Tip #6 - Focus on administrator,

service and remote user accounts

Some accounts require more protection than others. If administrator, service and

remote user accounts are compromised, there is a high risk of unauthorized access to

critical information, making extra protection of these accounts a priority.

Administrator rights

Ordinary IT users generally have no need for extended rights to IT systems and

infrastructure. IT user rights must always be granted based on actual needs.

The system administrator role often requires access to system critical infrastructure to

perform maintenance of internal IT systems, etc. Administrator accounts are thus

prime targets for hackers, and the account holders must take special care to protect

their login credentials. Access to administrative accounts should be secured through

multifactor authentication, and if for some reason this is not possible, longer and more

complex passwords should be chosen. Administrative accounts should only be used for

tasks where extended rights are required, and not for the handling of day-to-day tasks

where a non-privileged user account would be sufficient (such as email management,

Internet access, etc.).

Administrative accounts should be personal, and the password only known to the

administrator owning the account. In the event of personnel with administrative rights

leaving the organization, their personal privileged accounts should be shut down

immediately and passwords on all service accounts known to the administrator

changed. In some privileged account management platforms, this process can be

automated or avoided entirely by using one-time passwords for administrative tasks.

Remote user access

In many cases, remote users will log on to an organization’s internal systems from less

secure locations such as personal networks, hotel rooms and cafés. In such locations,

organizational security controls cannot be applied, and passwords are more vulnerable

to compromise.


administrative accounts be used exclusively for activities

that require administrative privileges

administrative accounts be protected by multifactor

authentication

all remote users log on using multifactor authentication

a formal process be followed when shutting down privileged

access for departing administrators.

20

Tip #7 – Account lockout and login

monitoring

Mitigating controls must be implemented to reduce the risk of hackers compromising

IT systems containing business-critical information. In connection with dictionary and

brute force attacks, the below solutions are worth considering:

Account lockout

Account lockouts may prevent hackers from using online attacks to break passwords

and compromise internal systems. The user account is locked out once the user or

hacker has exceeded the threshold of failed login attempts, preventing the hacker

from performing dictionary or brute force attacks.

The organization should thus prepare an account lockout policy determining the

allowable number of failed login attempts. A sudden high number of attempted logins

may indicate malicious activity.

The policy should also determine the number of minutes that must pass after a failed

login attempt, before the failed logon attempt counter is reset. This approach may help

avoid password spraying attacks, which are described in the “Hacker focus” section.

The difference is significant between whether the hacker is allowed to carry out the

maximum number of failed attempts every half hour or only once a day before the

account is locked out.

It is also relevant to ensure that the policy outlines how to unlock locked accounts. It

is problematic if an IT user can simply call a service desk and request that their

account be unlocked and immediately be given a new, temporary password over the

phone. In such cases, a hacker may pose as a user as a way of gaining access to the

account. A potential solution to this particular problem could be for the user to be

assigned a temporary disposable password via a colleague or for the password to be

reset through an existing multifactor authentication method.

If the organization uses security questions along the line of ”What is my father’s

name?” for the IT user’s own unlocking of the account, there is a risk that hackers can

figure out and answer such questions without much difficulty by using social

engineering or open sources such as social media.

Delay of new login attempts

Another method is so-called ”throttling” or ”delay”. Under this approach, the account is

not blocked, but for each failed login attempt – or after a specified number of failed

login attempts – a time delay is established before a new login attempt is allowed.

This delay can be increased exponentially for each failed login attempt.

21

Login user notification

The first time a user logs in from an unknown device, a notification of the login will be

sent to the user, for instance through mail or text message, increasing the likelihood

of detecting account compromises and allowing for prompt action to be taken.

Login monitoring

When investigating cyber security incidents, the Centre for Cyber Security often finds

that the affected organizations has insufficient logging in place, making it difficult to

analyse the cause and effect of the compromise. Logging – and compilation of logging

data – from equipment and systems in the organization’s infrastructure is essential for

the ability of authorities and companies to quickly detect and subsequently identify the

consequences of cyber-attacks.

The Centre for Cyber Security has prepared a guide: ”Logning – en del af et godt

cyberforsvar” containing recommendations on logging, as part of an organization’s

cyber security regime.


account lockout or ”throttling” be used, and that unlocking

of locked accounts only takes place following a strict

protocol

login attempts be logged, and that the logs be monitored.

22

Tip #8 – Secure handling of

passwords in systems

The organization must ensure that confidentiality is ensured during the use,

communication and storage of passwords.

Use of passwords

Login pages on systems should allow the copying of passwords into the password box,

facilitating the use of password managers. Also, there should be no rules limiting the

length of the passwords, or the letters or special characters allowed. Also, it is

recommended that when choosing their password, users receive a notification if the

selected password is frequently used or known from previous leaks. To aid in this

process, lists of frequently used or leaked passwords are readily available online.

These lists can be downloaded or integrated into a login service through an API

(Application Programming Interface). An example of such a service is

https://haveibeenpwned.com

To the widest extent possible, organizations should employ multifactor authentication

on their systems and consider supporting FIDO2 password-free authentication when

developing new systems.

Communication of passwords

Password encryption is recommended whenever a password is entered or in other

ways exchanged between devices/systems over a network.

Storage of passwords

Passwords should not be stored in plain

text. If the password database is

compromised, it is important that data is

stored in a secure manner to prevent

hackers from directly using the

information.

Unlike encryption, conversion of

passwords into hash values is a one-way

mechanism, and it is impossible to

extract a password from hash values

without guessing. Hashing should be

based on standard implementations of

tried-and-tested hash functions designed

especially for passwords.

As an extra layer of security, a unique

so-called ”salt” is added to each

password prior to hashing, ensuring that

Password hash

In order to avoid direct storage of

passwords, a hash function is often

used. Hashing involves the conversion

of a password to a hash value in the

form of a fixed-length byte string. This

makes it impossible to figure out the

length or complexity of the password

based on the hashed value as the

hashed value will always be of the

same length. Even a small change to

the password will completely change

the hashed value.

Salt

Random value that is added to the

password prior to hashing, ensuring

that the resulting value is always

unique.

23

the resulting stored value is unique, even if the passwords are identical, thus

protecting against rainbow table attacks.

If a system supports password-free access via the FIDO2 standard, the need for

secure storage of passwords is obviously reduced.


user interfaces be devised to help users choose secure

passwords

user interfaces allow use of password managers

all communication of passwords take place over encrypted

connections

only hashed values based on unique salts are stored.

Hashing should be performed using standard

implementations of tried-and-tested password-hashing

functions.

24

Tip #9 - Organizational password

policy

In a bid to thwart hacker attacks, passwords must often meet strict length and

complexity requirements. However, it can be arduous to remember many complicated

passwords, which makes it tempting to recycle passwords or to write them down in an

easily accessible list.

Attempts to counter the hacker threat by setting up strict password requirements may

lead to users employing poor password practices in order to comply. Helping the users

by reducing the number of passwords through single sign-on, or managing passwords

using an endorsed password manager, may have a better effect.

Senior management should customize the organization’s password policy to fit the

desired security level and the security culture of the organization, and to address

common user behaviour. The senior management is responsible for implementing the

overall password policy and for ensuring that it is supported by relevant technical

solutions. In preparing its password policy, the organization must focus on the

differing security requirements in terms of access control to different systems and

services. For security reasons, password requirements may thus vary between the

organization’s internal systems and its Internet- and client-facing systems.

Suggested general password policy principles include:

Passwords are required where needed, based on security requirements.

Password rules must not be unnecessarily complicated – ensure sufficient

length, lower complexity.

Password are not to be recycled across systems.

Passwords are personal and must not be shared.

Use multifactor authentication to increase security.

User-friendliness – organizational culture and behaviour.

Awareness, awareness, awareness.

IT support of password managers to help the user manage multiple passwords.

Requirements for secure handling of passwords through appropriate technical

controls.

25

References

Password Guidance – Simplifying your Approach

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/45885

7/Password_guidance_-_simplifying_your_approach.pdf

NIST SP 800-63 – Digital Identity Guidelines

https://pages.nist.gov/800-63-3/

(In Danish) Logning – en del af et godt cyberforsvar

https://fe-ddis.dk/cfcs/publikationer/Documents/Vejledninger_finalapril.pdf

(In Danish) Madum, John: Bogen om password. – København: Books on demand,

2016.

about:blank

about:blank

26

Appendix

Below are methods to construct strong passwords or passphrases. Please note that the

examples should not be used as are.

Password examples (min. 12 characters)

Method 1:

Capital and country

Remove last letter in country

Type at least 2 characters or numerals between the words

Examples:

1. OsloMJ07Norwa

2. Vilnius05Lithuani

3. Apia1&&2Samo

Method 2:

First letter of all words in a long sentence

Specific letters could be replaced with numbers or special characters

Examples:

1. Idmrmbtwii-ros

(I don’t mind riding my bike to work if it doesn’t rain or snow)

2. Wig4y,bd2moiin!

(Water is good for you, but drinking too much of it is not!)

Method 3:

Title of song and name of artist separated by special characters or numbers

Examples:

1. LovingYou#Elvis

2. 1stWeTakeManhattan&Cohen

3. AbbeyRoad1969TheBeatles

4. BadGuy!BillieEilish

Examples of passphrases (min. 20 characters) Method 4:

5 things/concepts from a room in your house, your latest trip, the shopping

basket, etc. – begin all words with capital letters

Examples:

1. PotsRecipeKnifeCupboardFood 2. CafeMuseumPoolSunshineHoliday

3. FruitYoghurtKiwiCakesCoffee

Some systems do not allow the use of national characters, in which case they may be

replaced by other characters.