Passwords #

Advice #

Best practices
- Show password to prevent typos, password managers, store secrets with salts and secure hashing methods, locking after multiple attempts and MFA
Guideliness - NIST 800-63
- Reduce password complexity requirements and instead emphasize length.
- Not require special characters
- Allow ASCII and Unicode
- Allow pasting into passwords fields (for password managers)
- Monitor new passwords to ensure that easily compromised ones are not used
- Eleminate Password Hints
Recomendations
- Length is the best defense against brute force
- Complexity - prevent repeated characters and common words
- Reuse limitations
- Expiration dates to force renewal
- Age limitations - Sometimes people keep resetting till the “reuse” limitation is circumvented.
Password Managers
- Good stuff
- Lastpass Breach Recommendation
Passwordless
- Instead depending on what you know primarily, it focuses on what you have (security tokens, certificates,…)
- An option: hardware security key (like UbiKey)
  - Protocols: FIDO, Universal 2nd Factor (U2F), ..
  - FIDO: Open Authentication Standard supporting W3C Web Authentication and Client to Authenticator Protocol (CTAP)
- Goal is to remove friction

This can include using lists with generic commonly used passwords or tailored to the target
Many passwords attempts for a single user

Few passwords attempts but for many users
Example: On a sports fan website, most likely one user, uses the teams name or player as password

Uses a distinct list of words
Popular Tool: John The Ripper and Tutorials
Envirment
Online: Run and test passwords against life system with risk getting blocked/caught
Offline: You have the hashes or offline copy and you can in all peace go at it.
- For example a precomputed list of hashes (Rainbow table attack)
  - Hash salts and peper is used to counter rainbow table attack