Usernames and passwords is still the major method of authenticating users to the systems. It would be difficult to find someone without a user name and password in the workplace. In addition, personal usernames and passwords often come into picture when people access various websites and private emails. Proper use of the usernames and passwords are important to ensure accountability of the activities performed by the users. This post is to revisit the security best practices on the username and password policies and how it relates to the PCI DSS compliance requirements.
Standard for Usernames
It is important for an organization to have the usernames built in accordance with a pre-defined standard. This will help the business to quickly identify who is the owner of a particular user name and helps the organization to quickly resolve issues in case of a troubleshooting or identify the user in case of a malicious activity. It should be communicated with in the organization so that the privilege assignments would be easy for individual users.
Imagine a situation where an organization has around 10 John.s in a 100 employee company. If all they have usernames like John1, John2 etc. how difficult it would be for someone to share a folder and assign required privilege to the right John?
Consider the username password combination as a public and private key pair where the username is public to everyone and the password is private to the user. This helps everyone easily identify who did what without much hassles and enables a faster audit trial review.
Some of the common username formats include:
-
First initial of the first name and complete last name
-
Complete first name dot complete last name.
-
Employee number with predefined prefixes
Password Policy
After the username standard is defined, the next key step is defining the password policy which defines the private or undisclosed part of the authentication mechanism. The use of password ensures the accountability of any actions performed by a user account and the owner of the user account is held responsible for the activities performed by the said user. Due to this reason, it is important for an organization to ensure to ensure that the passwords are strong and follows best practices. Some of the key components of a good password policy follows
Password Strength, occasionally part of the password standard
-
Alphanumeric passwords, special characters if needed based on the risk posture
-
Minimum 8 characters or more
-
Not to write the passwords in a clear text form like in paper, sticky notes etc. or in text editors
-
If stored electronically, use cryptographic controls to protect the same
-
Password is a private information and thus it should be kept confidential.
-
Password sharing not to be allowed
-
Not easily guessable passwords like spouses name, kids name, birthdays etc.
-
Not a word from common dictionary (think about dictionary attacks)
-
The username should not be used as the password
-
Use of uppercase and lowercase characters
-
Change the password frequently, ideally within 60-90 days of the new password creation
-
Change the password if it is known to anyone else
The above list is not an exhaustive list of password policy components. Many of these items to be considered only after assessing the security situation of your company. Passwords are not the single line of defence against identity attacks but a key step towards protecting one.s account.
PCI Compliance
Now let us look at the PCI compliance requirements related to Password policy. The Requirement 8 - Assign a unique ID to each person with computer access is the key section where the username and password requirements are detailed. Two of the key controls are listed below from a number of items from requirement 8
-
8.1 – Assign all users a unique ID before allowing them to access system components or
cardholder data. -
8.5.8 . Do not use group, shared, or generic accounts and passwords.
The PCI DSS is drafted to include all the requirements related to password security so that the merchants and service provider will employ proper controls to restrict and identify the access to card holder environment. At first glance, the operations of creating unique user IDs may seem to be a time consuming task with few benefits when multiple employees may perform the exact same functions.
I often get questions from people asking why we can.t have just one user account or email account for a group of people? It is important from a PCI DSS or Card holder perspective that the users are identified when they access the cardholder data such is what has been accessed and when. The PCI Data Security Standard is taking proper measures with these requirements to ensure that Merchants protect themselves from the following concerns.
Without having a unique user id assigned to all users, merchants could face the following challenges:
-
Unable to find who performed what on the systems or data
-
The use of audit trials to identify who performed a change or deletion of information
-
Implement the access controls based on the job functionalities or job roles
It is important from the organization perspective that individual usernames and passwords are assigned to every user of the system and thus ensuring accountability of the actions being performed by the employees. this will ensure that you don.t have to fight with the QSA during the audit, but more importantly, it will allow you to pin point who did what. Each organization will need to determine a Username and Password Policy based on specific business needs, risk mitigation process or regulatory requirements. What is most important is that a policy exists and the employees understand and follow it consistently.
Hi.
I have no idea who reads these, I’m assuming a souless robot or maybe a hybrid of machine and perhaps the damned soul of an life insurance actuary. So, regardless of what or who is reading this. Stop. Stop pretending that computers are hacked all day and all night at piddling companies all over earth. Stop peddling this nonsense that we need to type passwords like #4ght*GoLm4$, then not be expected to write that garbled nonsense down, then of course change it in 30 days. I hate it. I hate having to extract some core component of my memory and dedicated it to some alphanumerical coded nonsense string once every 30 days – mind you different ones for at least 5 platforms – all in the name of “safety”. I hate it. Stop promoting it.
Instead create a risk guideline, one in which you could use your influence to suggest that certain fields, occupations and management levels should in fact not be required to have such obtuse – often never utilized – defense systems.
In closing the greatest limes in Roman history was the Limes Tripolitanus, the border of about a three foot wall on the southern border of the Sahara. Why? No one wanted to cross the Sahara because their wasn’t anything worth crossing it for. So take it from the Romans – you don’t need high walls for every border!
@Marshall : Good points, but unfortunately, we will have to stick to the passwords from the memory. I do not recommend remembering the passwords, instead write it down securely. Use a complex password, hard to guess & bruteforce, and then store it either in a secure file using some good password managers like keepass.
The challenge today is that if it is networked, your organizations core systems can be reached. Attackers use many techniques to get to the core so that they can take some money out of you. Until that time security is an obstacle, but from the moment of an incident, lack of security comes into the picture. So let’s figure out a way to use hard to guess passwords in a easy way using some password managers. Using a password manager helps you store passwords securely and you will have to just remember a single master password.
I definitely like your thoughts on the risk guideline. Thanks for visiting the blog 🙂