{"id":579,"date":"2013-10-01T15:32:14","date_gmt":"2013-10-01T20:32:14","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=579"},"modified":"2013-10-01T15:32:14","modified_gmt":"2013-10-01T20:32:14","slug":"rating-your-options-for-password-policies-and-access-management","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2013\/10\/01\/rating-your-options-for-password-policies-and-access-management\/","title":{"rendered":"Rating Your Options for Password Policies and Access Management"},"content":{"rendered":"

Today I did an interesting experiment that I thought was worth sharing with others.\u00a0 I tried to come up with a ten item list of password\/access management policies based on increasing levels of security.\u00a0 On my list, a “10” effectively means the most secure access management and password polices whereas as “0” effectively means nothing.\u00a0 Here is my list:<\/p>\n

    \n
  1. Open Authentication:<\/strong> Exactly like it sounds.\u00a0 No username or password required.\u00a0 If you can access the application, then you can get in.<\/li>\n
  2. Non-Limited Credentialed Authentication:<\/strong> The use of a username or some form of non-open authentication, but perhaps a globally shared account or extremely weak password like “password”.\u00a0 (ex: “password”)<\/li>\n
  3. Weak Credentialed Authentication:<\/strong> The use of a unique username plus a basic password policy simply limiting the number of characters, but not the content. (ex: “google”)<\/li>\n
  4. Complex Credentialed Authentication:<\/strong> The use of a unique username plus a basic password policy not only limiting the number or characters, but also requiring some level of complexity.\u00a0 This can be easily defeated using Supercharged Password Cracking Techniques<\/a>.\u00a0 (ex: “G@@gl3”)<\/li>\n
  5. Complex Non-Random Credentialed Authentication:<\/strong> The use of a unique username plus a password policy limiting the number of characters, requiring complexity, and checking against permutations of dictionary and commonly used passphrases, but supporting combinations of multiple dictionary words. (ex: “i@teAHors3”)<\/li>\n
  6. Complex Random Lengthy Credentialed Authentication:<\/strong> The use of a unique username plus a password policy where passwords are truly randomly generated and are of a sufficient length to effectively be unbreakable.\u00a0 Something in the neighborhood of 20+ characters is pretty decent.\u00a0 This is the point where passwords become so complicated that the average user cannot remember them on their own and are forced to record them somewhere. (ex: “Hh#8qcFhe9H$#324dnakfB3q4fUY@*”)<\/li>\n
  7. Non-Complex Two-Factor Authentication:<\/strong> The use of a unique username plus what is commonly referred to as “two factor” authentication.\u00a0 The use of “something you know”, like a basic 6-digit PIN that is easy for you to remember, alongside “something you have” that is a unique and randomly seeded value.\u00a0 The key here is that the “something you have” part is something that changes on a very frequent basis such as every 60 seconds. (ex: “147246965201<\/span>“)<\/li>\n
  8. Complex Two-Factor Authentication:<\/strong> The use of a unique username plus the two factor authentication where the “something you know” is a password that is more complex than a simple numeric and the “something you have” is unique, randomly seeded, and changing frequently like above.\u00a0 Perhaps the “something you have” is even something more than a simple numeric here as well. (ex: “H8n@m78an1vA<\/span>“)<\/li>\n
  9. Non-Complex Three-Factor Authentication:<\/strong> The use of a unique username, the “two factor” authentication piece in number seven above, plus a third “something you are” component.\u00a0 This is a unique biometric value such as a palm scan, fingerprint scan, or retinal scan.<\/li>\n
  10. Complex Three-Factor Authentication:<\/strong> The use of a unique username, the “two factor” authentication piece in number eight above, plus a third “something you are” unique biometric value.<\/li>\n<\/ol>\n

    I will admit that this list is dumbed down quite a bit as there are other factors that most certainly can weigh in here as well.\u00a0 For example, having a maximum password age of one day instead of ninety days can significantly change the amount of time that an attacker has to brute force an account.\u00a0 Other influencing factors could be the remembered password history and our account lockout policy.\u00a0 For the most part, though, these can be a component of any of the above policies.<\/p>\n

    Worth noting here is that as security increases, the user experience is likely decreasing due to increased complexity.\u00a0 The exception here may be as we move from number six to number seven on my list.\u00a0 The move to two-factor authentication should add enough constant change to our formula to allow us to have a more simple password while still making it more difficult to brute force the account.\u00a0 There is a trade-off of having to always carry a token retrieval device with you and having to handle the situation where a user is unable to access their token, but otherwise, this becomes the real sweet spot where usability meets security.<\/p>\n

    What do you think?\u00a0 Is my list fairly accurate or am I way off base here?\u00a0 Am I missing something important?\u00a0 Please feel free to comment and provide your own list and\/or feedback for mine.<\/p>\n","protected":false},"excerpt":{"rendered":"

    Today I did an interesting experiment that I thought was worth sharing with others.\u00a0 I tried to come up with a ten item list of password\/access management policies based on increasing levels of security.\u00a0 On my list, a “10” effectively means the most secure access management and password polices whereas as “0” effectively means nothing.\u00a0 […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[557,28],"tags":[115,350,564,565,563,560,242,619,561,558,238,566,559,562],"class_list":["post-579","post","type-post","status-publish","format-standard","hentry","category-access-management","category-security","tag-access","tag-authentication","tag-biometric","tag-complex","tag-factor","tag-key","tag-long","tag-management","tag-multi","tag-password","tag-policy","tag-random","tag-token","tag-two"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-9l","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/579","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=579"}],"version-history":[{"count":2,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/579\/revisions"}],"predecessor-version":[{"id":581,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/579\/revisions\/581"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=579"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=579"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=579"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}