Password Security Password Guide for IT Users, Developers, System Administrators, and Senior Management

Guide Password security Password guide for IT users, developers, system administrators, and senior management.

Table of contents Introduction ...... 3 Overall recommendations ...... 4 Hacker approaches ...... 5 Password challenges ...... 7 Tip #1 – What is a strong password? ...... 9 Tip #2 – Multifactor authentication ...... 12 Tip #3 – How to deal with password overload ...... 13 Tip #4 - Awareness and training ...... 17 Tip #5 - Changing all default passwords ...... 18 Tip #6 - Focus on administrator, service and remote user accounts ...... 19 Tip #7 – Account lockout and login monitoring ...... 20 Tip #8 – Secure handling of passwords in systems ...... 22 Tip #9 - Organizational password policy ...... 24 References...... 25 Appendix ...... 26

Kastellet 30 2100 København Ø Telefon: + 45 3332 5580 E-mail: [email protected]

Based on Danish version: 1st edition, August 2016. Revised edition, February 2020. Front page illustration: LuisPortugal/Getty Images.

Introduction

Access to usernames and passwords is a coveted gateway for hackers into, in particular, public and private companies’ sensitive information. Passwords are often easy to obtain or crack, making them an extremely effective point of entry to gain access to information.

Passwords remain one of the best ways to protect sensitive and confidential information and prevent unauthorized access. Most password guides recommend the use of different passwords for different accounts, just as they advise the use of longer and more complex passwords to make it harder for hackers to break them.

Many IT users struggle to come up with new passwords that fulfil the password criteria in terms of uniqueness, length and complexity. As a result, storing passwords in places that allow them to be easily accessed may be a tempting option. However, not all storage techniques are safe, increasing the risk of passwords falling into the wrong hands. In other words, in an effort to improve security, the exact opposite may occur.

This guide describes some of the most popular hacking techniques and some of the risks of password use, providing a number of password security tips to suit the risk profiles and specific security needs of organizations.

This guide is directed at:

IT users and is intended to serve as inspiration for new ways to address password and password protection issues. Tips 1-3 provide examples of strong passwords.

The management level responsible for defining specific password policy best practices. For further information, please read Tips 1-4.

The IT operations/supplier level where it may be relevant to prepare procedures based on the organization’s specific needs rather than on general best practices. In many cases, the IT operations department will be the right partner to include in decisions on acquisitions of the proper technology to support the organization’s special needs in terms of composition, use and protection of passwords. For further information, please read Tips 5-8.

IT developers/system administrators responsible for ensuring that user interaction with passwords – as well as communication and storage of passwords – is performed in a way that protects their confidentiality and integrity. For further information, please read Tips 6-8.

Senior management responsible for maintaining focus on information security within the organization, including defining the IT security framework. The senior management is responsible for securing the resources necessary to achieve the desired security level. For further information, please read Tips 4 and 9.

3 Overall recommendations

The following pages detail the issues concerning password selection and use, and provide recommendations on how to address them. The recommendations and principles listed below are general, not exhaustive, and in some cases additional or alternative measures may be required.

Choice of passwords:

 Choose a password strength that is appropriate for the asset the password protects.

 Remember that password length is more important than password complexity.

 Do not recycle passwords.

 Use a password manager to help remember the many unique passwords.

 Supplement the password with multifactor authentication where possible.

Password policies:

 Do not set fixed complexity requirements for passwords but offer advice on how to choose safe passwords.

 Assess whether mandatory password changes improve or decrease the level of security.

 Use single sign-on to expedite user access to the organization’s systems.

 Implement multifactor authentication where possible, and as a minimum for all remote access solutions and privileged accounts.

 Do not recycle frequently used or leaked passwords.

 Support best practices for safe handling of passwords through regular awareness activities.

Hacker approaches

Access to IT systems is often governed by usernames and passwords, making them valuable to hackers as tools of entry. Hackers target attacks by, for instance, exploiting their knowledge of users and their passwords. This knowledge may be transferred to a number of tools that help hackers to “guess” or read passwords, for instance through installation of a key logger that registers all keyboard activity. Described below are some of the techniques used by hackers to obtain or crack passwords.

Social engineering Social engineering is a widely popular technique used to gain Spear phishing access to passwords. In social Spear phishing is similar to regular phishing engineering, the hacker tries to but differs in the sense that it is targeted lure the password from the towards a specific recipient and uses social user, for instance by sending an engineering techniques. Spear phishing email posing as someone whom attempts are often directed at specific the user knows and trusts. individuals, and the emails are typically Typically, the hacker will send customized to appear particularly relevant, an email to the intended target, convincing and credible to the recipient by asking them to reply to the using the person’s name, information related email, thereby disclosing specifically to the recipient, or relevant files information that the hacker can harvested by the hacker in a previous subsequently use to launch an reconnaissance phase. attack.

Another technique involves sending an email that looks trustworthy, but which contains an embedded link to a false website or an attached file containing malicious code (malware). If the recipient clicks on the link or opens the attached file, malicious code may be installed or activated on their computer, allowing the hacker access to the username or password, or to internal IT systems containing sensitive business information.

Password reuse Many users often recycle passwords – at work as well as at home. Password reuse carries a high risk that the hacker may gain access to more than one system when a password is leaked or otherwise compromised.

It is particularly critical when the same password is indiscriminately used for access to systems with low security as well as to systems with high security demands.

Dictionary, rainbow table and brute force In a so-called dictionary attack, the hacker deploys a list of potential, often commonly used, passwords. The attack is an attempt to guess passwords by systematically trying combinations and variations of common words.

5 Using a list containing a wide number of different words increases the likelihood of finding the right password. However, from the hacker’s perspective, the problem with this technique is that many IT systems have features that block multiple password attempts.

A rainbow table is a password cracking tool that can be used to find out what plaintext password produces a particular hash. The technique is similar to the dictionary and brute force attack techniques but differs in the sense that the attack is performed by looking into pre-computed rainbow tables and a number of hash calculations. This technique reduces the amount of data in the rainbow table as opposed to a simple lookup table with one entry per hash. The reason they are called rainbow tables is that each column uses a different reduction function.

If a hacker knows the hash value of a password1, it can be used Password spray attacks to facilitate brute force A hacker may attack a system by entering popular attacks (further passwords across all accounts of a particular information on hashing of system. In a large organization with hundreds of passwords can be found users, chances are high that the hacker will in Tip #8 in the eventually guess one or more passwords. This appendix). In a brute technique is called password spraying. As force attack, the hacker organizations often have an account lockout policy, tries different the hacker is careful to only try a few commonly combinations of used passwords against many accounts to avoid characters, making this account lockouts. type of attack far more time-consuming than a dictionary attack. But while an attack based on a dictionary does not necessarily reveal passwords that are not featured on the list, a brute force attack will eventually come up with the correct password. Long passwords will increase the amount of time needed by attackers – even attackers with access to significant computational power – to brute force the password.

Default passwords If default passwords, i.e. the passwords that are assigned to hardware and software by the manufacturer, are used for Internet-connected devices, this will allow hackers easy access to an organization’s networks and systems. If hackers know which specific hardware and software is used in an organization, they can go online to find the supplier’s default logins, which they can then use to gain access to the organization’s networks and systems.

1 The hash value of a password may have been intercepted on the network or found in the cache on systems the user has logged onto. 6

Password challenges

New passwords typically require a minimum number of characters, and a mix of lower- and uppercase letters, numeric digits and special characters. In addition, the password must be changed at regular intervals. Users may thus be hard pushed to come up with new passwords, making it tempting to store passwords in insecure ways, or to reuse passwords. Though such practice works against the intent of an organization’s password policies, it is nevertheless common among users – a fact that has not escaped the attention of hackers.

Common password practice When creating new passwords, many IT users will choose to cut corners and pick the easiest possible password that fulfils the security requirements. For example:

 If the minimum password length is set to a value of 8 characters, users will often not choose a password that exceeds 8 characters.

 If the password must contain upper-case letters, a commonly seen pattern is to let first character of the password be an uppercase letter.

 If the password must contain numbers, users will often choose to put the numbers at the end of the password. Digits between 0-99 or digits representing a year also feature quite frequently. Using numbers that look like letters is also common practice, for instance the ”e” becomes ”3”, and ”o” becomes ”0”, etc.

 If special characters are a requirement, it is often fulfilled by using only one special character. Some characters seem more popular than others. ”@” and ”!” are some of the more popular characters.

 If the password must be changed at regular intervals, many users choose cyclical words in the form of words for seasons, quarters, months, etc.

 Some words or numbers are very popular and feature in many passwords. ”123456” is among the most commonly used passwords, as are the word ”password” and letters that are typed in succession such as ”qwerty”.

 The password is the same as the username or part of it.

 The password contains names of family members, friends, pets, etc.

In connection with periodic password expiry, a new one is generated that is almost identical to the old one.

Password strength Even though an organization has multiple password requirements, leading to the assumption that the passwords are strong, they may still fall short. If the requirement for a secure password is twelve characters and a mix of upper- and lowercase letters, numeric digits and special characters, a compliant password may look as follows:

Password2019!

7 Commonly used passwords Like in the example above, in which the password is not considered secure despite meeting the formal security requirements, many users inadvertently choose non- unique passwords, making it easier for a hacker to guess them. Lists of the most common passwords are readily available online and may be used against a single username or against numerous usernames in a password spraying attack.

The most commonly used passwords in the English-speaking part of the world.

Use of leaked passwords When usernames and passwords are leaked online, for example from a compromised website, they are often quickly added to the hackers’ arsenal and included on a list of passwords worth trying. The https://haveibeenpwned.com website allows users to check whether their accounts, or other accounts from their domain, have been compromised in a data breach.

Tip #1 – What is a strong password?

It is difficult to provide specific advice on which passwords are suitable for every situation or suited to mitigate every security threat. It is thus important that a risk assessment is used as the basis for finding a mix of protective measures that offer a suitable balance between security and practicability based on the asset the password protects.

If single sign-on is used to grant access to multiple systems, the security requirements should be based on the most critical of the systems. Internet-facing systems are often more vulnerable than internal systems.

Even though password complexity – a combination of lower- and uppercase letters, numeric digits and special characters – reduces the risk of a successful brute force attack, the length of a password is an even more important security feature. As the requirement for complexity may result in predictable passwords, stricter requirements for password length should be considered instead, along with other security measures. For further information, please read Tip #7 on security measures to reduce the risk of brute force attacks.

Multifactor authentication is one of the most effective supplementary security measures. For further information on multifactor authentication, please read Tip #2.

Alternatively, if allowed by the organization’s authentication platform, avoiding passwords altogether may be a solution. For further information, please read the section on ”Password-free access”.

Keep in mind that no system is 100 per cent secure, regardless of how many security measures are implemented.

Passwords and passphrases There is a plethora of advice on how to create passwords. Irrespective of the method chosen, it is essential that it is not shared with others. It is also important to choose a medium-length password, ideally a 12-charater minimum, if multifactor authentication is not in place:

Password examples: Use the first letter of every word in a sentence:

Idmrmbtwii-ros = I don’t mind riding my bike to work if it doesn’t rain or snow (Here the word “doesn’t” has been replaced by the sign ”-”)

Another method could be to choose a song title and combine it with the name of the artist and signs/numbers: AbbeyRoad1969TheBeatles

9 Another approach could be to construct a passphrase that consists of random words that are easy to remember and that add some length to the password. If the user chooses a combination of common words, it is important to increase the length to a minimum of 20 characters.

Passphrase examples: A combination of words inspired by a room at home:

PotsRecipeKnifeCupboardFood

A combination of words inspired by latest travel:

CafeMuseumPoolSunshineHoliday

The examples of passwords and passphrases mentioned here should naturally be avoided as they are publicly available in this guide.

If a password manager is used (see Tip #3), rendering it unnecessary for a user to remember all their unique passwords, it may still be advisable to use very complex and long passwords. Such passwords can often be generated by the password manager.

Password-free access Efforts have been made in international forums to find an alternative to passwords as this would eliminate the problem of passwords being difficult to remember, easy to guess, frequently recycled, and found in data leaks.

The passing of the FIDO22 standard has facilitated easy and secure access to websites and operating systems by using a public/private security key instead of passwords. Authentication based on FIDO2 not only solves many of the problems connected with the conventional use of passwords, it is also easy for the user to manage.

Password-free access to, for instance, an online service requires registration of the account and generation of a unique public/private security key pair. First, the user must choose an authenticator that is acceptable to the service provider such as a mobile phone or a USB hardware key. The user opens the chosen authenticator by using fingerprints, a hardware key or a PIN code, after which a unique key pair is generated. This key pair is tied to the authenticator, the user’s account and the provider. The public key is sent to the provider and stored for later user validation.

When the user accesses the services of the provider and enters their username, the provider sends a large and arbitrary number – a so-called ”nonce” – to the user’s unit. All the user has to do then is to unlock the authenticator, just like they did during the registration phase, for example by using fingerprints. The unit then locates the relevant key, encrypts the number with the key, and sends the result back to the provider. The provider validates the number received by using the public key stored for the user, confirming that the user has access to their private key. If the validation is successful, the user is granted access to the services.

2 For more information on FIDO2, please visit: https://fidoalliance.org/fido2/ 10

During the FIDO2-based authentication process, no passwords are sent over the Internet, just as no passwords or other sensitive information are stored at the provider of the services accessed. The numerous risks associated with the classic use of passwords are thus avoided, while it remains easy for the user to access the service.

11 Tip #2 – Multifactor authentication

Today, numerous systems offer multifactor authentication, which is one of the most effective security measures to increase login security in connection with access to sensitive information in IT systems. If multifactor authentication is applied, the demand for password strength may be reduced – both in terms of length and complexity.

Multifactor authentication Multifactor authentication is an authentication method in which a user is granted access after entering their username along with two or three of the following authentication factors:

 Something the user knows (PIN or password),

 Something the user has (ID card, key card or USB keys) or

 Personal features of the user (facial recognition or fingerprints), also known as biometric characteristics.

Most often two-factor authentication in which something the user knows is combined with something the user either has or is.

Multifactor authentication is already widely used, often in connection with remote access or online banking services. As multifactor authentication offers very strong login security, it is advised to introduce it wherever possible, and as a minimum on systems that require a high level of security. If, for instance, an account can be used to reset forgotten passwords to other accounts, it should be protected by multifactor authentication.

There are several different multifactor authentication methods, including single-use codes sent by SMS, mobile applications generating single-use codes or asking for confirmation during login attempts, biometric measures such as fingerprints or facial recognition, and special USB keys – which can also be used for password-free access. Multifactor authentication based on codes sent via SMS is considered less secure than other methods, but any multifactor authentication method is better than relying exclusively on passwords.

The method best suited for the individual organization or purpose depends on factors such as security requirements and administration and technology resources.

The Centre for Cyber Security recommends that

 Multifactor authentication is used wherever possible

 Multifactor authentication is always used when accounts provide access to critical systems or functions

 Multifactor authentication is always used in connection with remote access to internal systems.

Tip #3 – How to deal with password overload

To alleviate users from having to manage too many and overly complex passwords, it is important to pinpoint the areas where passwords are required and to decide on their length and complexity. It would be relevant to consider keeping systems or services that do not require high levels of security password free, or at least setting low password security requirements in terms of length and/or complexity.

Single sign-on Single sign-on helps reduce the burden on IT users. Single sign-on is standard practice in most organizations, affording simultaneous access to more IT systems with a single logon. However, if the password is compromised, hackers may gain access to all the user’s systems, making security a key priority also when using single sign-on systems.

The security and privacy concerns of logging in to a website or service using Microsoft, Google, Facebook, or other 3rd party accounts are not covered by this guide.

Password managers A physical book containing passwords that is kept in a secure location is hard to compromise for a hacker, but less practical in day-to-day use. Alternatively, a password manager can be used to remember passwords. The advantage of password managers is that they allow users to use unique, long and complex passwords for all online accounts without having to remember every single password. Password managers are locked by a single master password that is required to access the stored passwords. The master password obviously has to be very strong, as hacker access to the master password would facilitate access to all the stored passwords.

Types of password managers: Password manager  Browser-built-in password A password manager is a software managers application used to store a user’s  Browser-integrated collection of unique and strong password managers passwords in a secure way. Access to

 Independent password stored passwords is protected by a managers master password.

Browser-built-in password managers are used in the most popular browsers to store passwords to visited websites, and they enable password synchronization across devices via the manufacturer’s associated cloud services. While this solution is easy to use, it most often only supports passwords for websites, offering only limited functionality and encryption options. Even though the stored passwords are encrypted,

13 they are only as safe as the level of security on the device from which they are accessed. This solution is not suitable for critical passwords.

Browser-integrated password managers are installed as plug-ins in the most popular browsers. Their functionality is somewhat extended compared to the browser-built-in password managers, and they can often help generate secure passwords; they can assist in online searches to determine whether the password has previously been leaked online; and they can be used to check whether passwords are frequently used and thus not recommended. Passwords are stored in encrypted form at the service provider and are synchronized across devices through their cloud service.

Independent password managers are generally not integrated with the browser and thus have a reduced attack surface. Website logins require activation of the password manager by pressing a hotkey or by using the copy/paste function. Independent password managers often have the same or superior functionality as the browser- integrated password managers, and the user can freely choose where to store their encrypted password database. While some password managers have built-in support for the larger cloud file sharing services, an alternative option is to store the database locally or with another cloud service provider.

If the encrypted password database is stored by the service provider of the password manager or at an alternative cloud service provider, synchronization is easy across computers and mobile devices, enabling on-the-spot access to passwords. Still, it is important not to rely exclusively on a single copy of the database stored at a single provider, as this will prove problematic if the service shuts down, experiences a critical outage, or suffers an irreparable loss of data. The ability to backup or export passwords are important considerations when choosing a password manager.

Given the sensitive nature of the information stored, well-established and tested password manager solutions should be considered to reduce the risk of compromise. Also, updating the chosen password manager solution regularly is important to apply security fixes which remedy any identified password manager vulnerabilities.

Regardless of the platform, it is important that the master password, used for unlocking access to the encrypted passwords, is very strong. It is advisable to supplement the master password with another factor such as a USB key and/or biometric access control.

Organizations with integrated single sign-on systems and few passwords usually have no need for password managers. Still, due to their function, some departments within an organization may have a special need for storage of multiple passwords such as departments dealing with IT operations or communications. Larger organizations that need to manage many privileged accounts may benefit from using a specialised system for secure delegation of password access, systematic change of passwords for critical service accounts, and with strong auditing capabilities.

The few passwords that are necessary for re-establishment of access after major critical operational incidents should be stored in physical form in a secure location so that access to the passwords does not depend on all systems being operational.

The Centre for Cyber Security recommends that

 password managers be used when storage of multiple unique passwords is required

 the choice of solution be based on the assets protected by the passwords, and on the organization’s risk assessment.

Machine-generated passwords Machine-generated passwords can help improve security as these randomly generated passwords are less predictable than user-generated passwords and difficult to break, though their complexity may make it harder for the user to remember them. If a password manager is not used, the system should give users a choice of passwords, allowing them to select the one they find most memorable. Machine-generated passwords may comprise of four randomly chosen words, or the user can choose from a pool of different passwords, whichever is easier to remember. If a password manager is used, machine-generated passwords may be long and complex as the user need not remember them by heart.

Change of passwords Even though mandated password change has been a long-standing recommendation, it is no longer considered best practice. The motivation behind changing passwords say every three months was to limit the time available for a hacker to compromise and abuse a password. However, a frequent change of passwords has the undesired effect that many users choose weaker passwords that are easier to remember, or use a fixed approach when changing their password, including basing the password on the name or number of the current month, season, etc., which is easy to guess for a hacker.

If an organization has adopted security measures that reduce the risk of password compromise, it may, based on its risk assessment, choose not to require regular password changes. Such security measures should include:

 Awareness training of users in how to manage and choose secure passwords

 Policies supported by technical controls to ensure relevant password length (and possibly complexity)

 Controls which ensure that frequently used or already leaked passwords are not chosen

 Limitations as to the number of possible login attempts or throttling (see Tip #7)

In case of suspected or verified compromise of one or more passwords, forced password change should always be initiated.

The Centre for Cyber Security recommends that

 the organization consider which technical solutions can support good password practices by its users

 a risk assessment be used to determine whether to enforce password changes at regular intervals.

Tip #4 - Awareness and training

It is key that the organization’s IT users understand the password policy and observe the rules regarding use and composition of passwords regardless of strength. In addition, IT users must be aware of common hacker attack techniques. IT users must know what warning signs to look for and how to respond if they are contacted by, for example, individuals posing as IT colleagues who ask to test or reset a password, or if they receive unexpected or odd-looking emails.

It is up to the management to maintain focus on the organization’s security culture and the IT users’ behaviour and, by extension, to inform of any new attack techniques. Awareness training is advised, including how to choose strong passwords and how to adopt sound general security practices, just as follow-ups should be made to ensure that requirements and expectations are met.

The Centre for Cyber Security recommends that

 management plans and implements the necessary awareness training of personnel on the password policy of the organization.

17 Tip #5 - Changing all default passwords

IT equipment and software often comes with default system accounts and passwords set by the manufacturer. Hackers are well aware of this, and default passwords must thus always be changed before the equipment and software is deployed.

Default passwords may act as an entry point for hackers to access an organization’s IT systems and thus its business-critical information. Default passwords and usernames are easy to look up online, and if they have not been changed, it will in many cases be very easy for hackers to gain access.

It is especially important to change the default passwords to critical components and equipment in the organization’s IT infrastructure such as passwords to routers, printers, log servers and firewalls.

It is imperative to check regularly for default passwords on hardware and software, in order to ensure that all default passwords have been changed.

The Centre for Cyber Security recommends that

 default passwords be changed as a standard procedure when equipment and software is deployed.

Tip #6 - Focus on administrator, service and remote user accounts

Some accounts require more protection than others. If administrator, service and remote user accounts are compromised, there is a high risk of unauthorized access to critical information, making extra protection of these accounts a priority.

Administrator rights Ordinary IT users generally have no need for extended rights to IT systems and infrastructure. IT user rights must always be granted based on actual needs.

The system administrator role often requires access to system critical infrastructure to perform maintenance of internal IT systems, etc. Administrator accounts are thus prime targets for hackers, and the account holders must take special care to protect their login credentials. Access to administrative accounts should be secured through multifactor authentication, and if for some reason this is not possible, longer and more complex passwords should be chosen. Administrative accounts should only be used for tasks where extended rights are required, and not for the handling of day-to-day tasks where a non-privileged user account would be sufficient (such as email management, Internet access, etc.).

Administrative accounts should be personal, and the password only known to the administrator owning the account. In the event of personnel with administrative rights leaving the organization, their personal privileged accounts should be shut down immediately and passwords on all service accounts known to the administrator changed. In some privileged account management platforms, this process can be automated or avoided entirely by using one-time passwords for administrative tasks.

Remote user access In many cases, remote users will log on to an organization’s internal systems from less secure locations such as personal networks, hotel rooms and cafés. In such locations, organizational security controls cannot be applied, and passwords are more vulnerable to compromise.

The Centre for Cyber Security recommends that

 administrative accounts be used exclusively for activities that require administrative privileges

 administrative accounts be protected by multifactor authentication

 all remote users log on using multifactor authentication

 a formal process be followed when shutting down privileged access for departing administrators.

19 Tip #7 – Account lockout and login monitoring

Mitigating controls must be implemented to reduce the risk of hackers compromising IT systems containing business-critical information. In connection with dictionary and brute force attacks, the below solutions are worth considering:

Account lockout Account lockouts may prevent hackers from using online attacks to break passwords and compromise internal systems. The user account is locked out once the user or hacker has exceeded the threshold of failed login attempts, preventing the hacker from performing dictionary or brute force attacks.

The organization should thus prepare an account lockout policy determining the allowable number of failed login attempts. A sudden high number of attempted logins may indicate malicious activity.

The policy should also determine the number of minutes that must pass after a failed login attempt, before the failed logon attempt counter is reset. This approach may help avoid password spraying attacks, which are described in the “Hacker focus” section. The difference is significant between whether the hacker is allowed to carry out the maximum number of failed attempts every half hour or only once a day before the account is locked out.

It is also relevant to ensure that the policy outlines how to unlock locked accounts. It is problematic if an IT user can simply call a service desk and request that their account be unlocked and immediately be given a new, temporary password over the phone. In such cases, a hacker may pose as a user as a way of gaining access to the account. A potential solution to this particular problem could be for the user to be assigned a temporary disposable password via a colleague or for the password to be reset through an existing multifactor authentication method.

If the organization uses security questions along the line of ”What is my father’s name?” for the IT user’s own unlocking of the account, there is a risk that hackers can figure out and answer such questions without much difficulty by using social engineering or open sources such as social media.

Delay of new login attempts Another method is so-called ”throttling” or ”delay”. Under this approach, the account is not blocked, but for each failed login attempt – or after a specified number of failed login attempts – a time delay is established before a new login attempt is allowed. This delay can be increased exponentially for each failed login attempt.

Login user notification The first time a user logs in from an unknown device, a notification of the login will be sent to the user, for instance through mail or text message, increasing the likelihood of detecting account compromises and allowing for prompt action to be taken.

Login monitoring When investigating cyber security incidents, the Centre for Cyber Security often finds that the affected organizations has insufficient logging in place, making it difficult to analyse the cause and effect of the compromise. Logging – and compilation of logging data – from equipment and systems in the organization’s infrastructure is essential for the ability of authorities and companies to quickly detect and subsequently identify the consequences of cyber-attacks.

The Centre for Cyber Security has prepared a guide: ”Logning – en del af et godt cyberforsvar” containing recommendations on logging, as part of an organization’s cyber security regime.

The Centre for Cyber Security recommends that

 account lockout or ”throttling” be used, and that unlocking of locked accounts only takes place following a strict

protocol

 login attempts be logged, and that the logs be monitored.

21 Tip #8 – Secure handling of passwords in systems

The organization must ensure that confidentiality is ensured during the use, communication and storage of passwords.

Use of passwords Login pages on systems should allow the copying of passwords into the password box, facilitating the use of password managers. Also, there should be no rules limiting the length of the passwords, or the letters or special characters allowed. Also, it is recommended that when choosing their password, users receive a notification if the selected password is frequently used or known from previous leaks. To aid in this process, lists of frequently used or leaked passwords are readily available online. These lists can be downloaded or integrated into a login service through an API (Application Programming Interface). An example of such a service is https://haveibeenpwned.com

To the widest extent possible, organizations should employ multifactor authentication on their systems and consider supporting FIDO2 password-free authentication when developing new systems.

Communication of passwords Password encryption is recommended whenever a password is entered or in other ways exchanged between devices/systems over a network.

Storage of passwords Passwords should not be stored in plain Password hash text. If the password database is In order to avoid direct storage of compromised, it is important that data is passwords, a hash function is often stored in a secure manner to prevent used. Hashing involves the conversion hackers from directly using the of a password to a hash value in the information. form of a fixed-length byte string. This makes it impossible to figure out the Unlike encryption, conversion of length or complexity of the password passwords into hash values is a one-way based on the hashed value as the mechanism, and it is impossible to hashed value will always be of the extract a password from hash values same length. Even a small change to without guessing. Hashing should be the password will completely change based on standard implementations of the hashed value. tried-and-tested hash functions designed especially for passwords. Salt Random value that is added to the As an extra layer of security, a unique password prior to hashing, ensuring so-called ”salt” is added to each that the resulting value is always password prior to hashing, ensuring that unique.

the resulting stored value is unique, even if the passwords are identical, thus protecting against rainbow table attacks.

If a system supports password-free access via the FIDO2 standard, the need for secure storage of passwords is obviously reduced.

The Centre for Cyber Security recommends that

 user interfaces be devised to help users choose secure passwords

 user interfaces allow use of password managers

 all communication of passwords take place over encrypted connections

 only hashed values based on unique salts are stored. Hashing should be performed using standard implementations of tried-and-tested password-hashing functions.

23 Tip #9 - Organizational password policy

In a bid to thwart hacker attacks, passwords must often meet strict length and complexity requirements. However, it can be arduous to remember many complicated passwords, which makes it tempting to recycle passwords or to write them down in an easily accessible list.

Attempts to counter the hacker threat by setting up strict password requirements may lead to users employing poor password practices in order to comply. Helping the users by reducing the number of passwords through single sign-on, or managing passwords using an endorsed password manager, may have a better effect.

Senior management should customize the organization’s password policy to fit the desired security level and the security culture of the organization, and to address common user behaviour. The senior management is responsible for implementing the overall password policy and for ensuring that it is supported by relevant technical solutions. In preparing its password policy, the organization must focus on the differing security requirements in terms of access control to different systems and services. For security reasons, password requirements may thus vary between the organization’s internal systems and its Internet- and client-facing systems.

Suggested general password policy principles include:

 Passwords are required where needed, based on security requirements.

 Password rules must not be unnecessarily complicated – ensure sufficient length, lower complexity.

 Password are not to be recycled across systems.

 Passwords are personal and must not be shared.

 Use multifactor authentication to increase security.

 User-friendliness – organizational culture and behaviour.

 Awareness, awareness, awareness.

 IT support of password managers to help the user manage multiple passwords.

 Requirements for secure handling of passwords through appropriate technical controls.

References

Password Guidance – Simplifying your Approach https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/45885 7/Password_guidance_-_simplifying_your_approach.pdf

NIST SP 800-63 – Digital Identity Guidelines https://pages.nist.gov/800-63-3/

(In Danish) Logning – en del af et godt cyberforsvar https://fe-ddis.dk/cfcs/publikationer/Documents/Vejledninger_finalapril.pdf

(In Danish) Madum, John: Bogen om password. – København: Books on demand, 2016.

25 Appendix

Below are methods to construct strong passwords or passphrases. Please note that the examples should not be used as are.

Password examples (min. 12 characters)

Method 1:  Capital and country  Remove last letter in country  Type at least 2 characters or numerals between the words

Examples: 1. OsloMJ07Norwa 2. Vilnius05Lithuani 3. Apia1&&2Samo

Method 2:  First letter of all words in a long sentence  Specific letters could be replaced with numbers or special characters

Examples: 1. Idmrmbtwii-ros (I don’t mind riding my bike to work if it doesn’t rain or snow) 2. Wig4y,bd2moiin! (Water is good for you, but drinking too much of it is not!)

Method 3:  Title of song and name of artist separated by special characters or numbers

Examples: 1. LovingYou#Elvis 2. 1stWeTakeManhattan&Cohen 3. AbbeyRoad1969TheBeatles 4. BadGuy!BillieEilish

Examples of passphrases (min. 20 characters) Method 4:  5 things/concepts from a room in your house, your latest trip, the shopping basket, etc. – begin all words with capital letters

Examples: 1. PotsRecipeKnifeCupboardFood 2. CafeMuseumPoolSunshineHoliday 3. FruitYoghurtKiwiCakesCoffee

Some systems do not allow the use of national characters, in which case they may be replaced by other characters.