Usernames and passwords is still the major method of authenticating users to the systems. It would be difficult to find someone without a user name and password in the workplace. In addition, personal usernames and passwords often come into picture when people access various websites and private emails. Proper use of the usernames and passwords are important to ensure accountability of the activities performed by the users. This post is to revisit the security best practices on the username and password policies and how it relates to the PCI DSS compliance requirements.

Standard for Usernames

It is important for an organization to have the usernames built in accordance with a pre-defined standard. This will help the business to quickly identify who is the owner of a particular user name and helps the organization to quickly resolve issues in case of a troubleshooting or identify the user in case of a malicious activity. It should be communicated with in the organization so that the privilege assignments would be easy for individual users.

Imagine a situation where an organization has around 10 John.s in a 100 employee company. If all they have usernames like John1, John2 etc. how difficult it would be for someone to share a folder and assign required privilege to the right John?

Consider the username password combination as a public and private key pair where the username is public to everyone and the password is private to the user. This helps everyone easily identify who did what without much hassles and enables a faster audit trial review.

Some of the common username formats include:

• First initial of the first name and complete last name
• Complete first name dot complete last name.
• Employee number with predefined prefixes

Password Policy

After the username standard is defined, the next key step is defining the password policy which defines the private or undisclosed part of the authentication mechanism. The use of password ensures the accountability of any actions performed by a user account and the owner of the user account is held responsible for the activities performed by the said user. Due to this reason, it is important for an organization to ensure to ensure that the passwords are strong and follows best practices. Some of the key components of a good password policy follows

Password Strength, occasionally part of the password standard

• Alphanumeric passwords, special characters if needed based on the risk posture
• Minimum 8 characters or more
• Not to write the passwords in a clear text form like in paper, sticky notes etc. or in text editors
• If stored electronically, use cryptographic controls to protect the same
• Password is a private information and thus it should be kept confidential.
• Password sharing not to be allowed
• Not easily guessable passwords like spouses name, kids name, birthdays etc.
• Not a word from common dictionary (think about dictionary attacks)
• The username should not be used as the password
• Use of uppercase and lowercase characters
• Change the password frequently, ideally within 60-90 days of the new password creation
• Change the password if it is known to anyone else

The above list is not an exhaustive list of password policy components. Many of these items to be considered only after assessing the security situation of your company. Passwords are not the single line of defence against identity attacks but a key step towards protecting one.s account.

PCI Compliance

Now let us look at the PCI compliance requirements related to Password policy. The Requirement 8 -  Assign a unique ID to each person with computer access is the key section where the username and password requirements are detailed. Two of the key controls are listed below from a number of items from requirement 8

• 8.1 – Assign all users a unique ID before allowing them to access system components or
  cardholder data.
• 8.5.8 . Do not use group, shared, or generic accounts and passwords.

The PCI DSS is drafted to include all the requirements related to password security so that the merchants and service provider will employ proper controls to restrict and identify the access to card holder environment. At first glance, the operations of creating unique user IDs may seem to be a time consuming task with few benefits when multiple employees may perform the exact same functions.

I often get questions from people asking why we can.t have just one user account or email account for a group of people? It is important from a PCI DSS or Card holder perspective that the users are identified when they access the cardholder data such is what has been accessed and when. The PCI Data Security Standard is taking proper measures with these requirements to ensure that Merchants protect themselves from the following concerns.

Without having a unique user id assigned to all users, merchants could face the following challenges:

• Unable to find who performed what on the systems or data
• The use of audit trials to identify who performed a change or deletion of information
• Implement the access controls based on the job functionalities or job roles

It is important from the organization perspective that individual usernames and passwords are assigned to every user of the system and thus ensuring accountability of the actions being performed by the employees. this will ensure that you don.t have to fight with the QSA during the audit, but more importantly, it will allow you to pin point who did what. Each organization will need to determine a Username and Password Policy based on specific business needs, risk mitigation process or regulatory requirements. What is most important is that a policy exists and the employees understand and follow it consistently.