# Password Policies - Password policy is a set of rules designed to enhance computer security by encouraging users to create strong passwords and use them appropriately according to the organization's standards - Most common security standards with password policies/guidelines: - [NIST SP800-63B](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf) - [CIS Password Policy Guide](https://www.cisecurity.org/insights/white-papers/cis-password-policy-guide) - [PCI DSS](https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss) - Sample password policy: - Minimum of 8 characters. - Include uppercase and lowercase letters. - Include at least one number. - Include at least one special character. - It should not be the username. - It should be changed every 60 days. - When using AD for authentication, we can configure an [Active Directory Password Policy GPO](https://activedirectorypro.com/how-to-configure-a-domain-password-policy/) to ensure users password compliance # Password Managers - Password manager implementation varies by provider, but most operate using a master password to encrypt the password database - Encryption and authentication rely on cryptograph hash and key derivation functions to prevent unauthorized access to the encrypted database and its content - Can be cloud-based or local password managers: - Example cloud providers: [Bitwarden](https://bitwarden.com/images/resources/security-white-paper-download.pdf), [1Password](https://1passwordstatic.com/files/security/1password-white-paper.pdf), and [LastPass](https://assets.cdngetgo.com/da/ce/d211c1074dea84e06cad6f2c8b8e/lastpass-technical-whitepaper.pdf) ![[images/Pasted image 20251014150344.png]] - Example local apps: Keepass, KwalletManager, Please Password Server, Password Safe ## Password Authentication Alternatives - By default, most operating systems and applications are built around password based authentication. However, administrators can adopt third-party identity providers or applicationss to enhance identity protection. Some of the most common alternatives include: - [Multi-factor Authentication (MFA)](https://en.wikipedia.org/wiki/Multi-factor_authentication) - [FIDO2](https://fidoalliance.org/fido2/), an open authentication standard that enables passwordless logins using physical devices like [YubiKey](https://www.yubico.com/). For a broader list of devices, see [Microsoft’s supported FIDO2 providers](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-key-providers). - [One-Time Passwords (OTP)](https://en.wikipedia.org/wiki/One-time_password) - [Time-Based One-Time Passwords (TOTP)](https://en.wikipedia.org/wiki/Time-based_one-time_password) - [IP restrictions](https://news.gandi.net/en/2019/05/using-ip-restriction-to-help-secure-your-account) - Device compliance enforcement via tools like [Microsoft Endpoint Manager](https://www.petervanderwoude.nl/post/tag/device-compliance/) or [Workspace ONE](https://www.loginconsultants.com/enabling-the-device-compliance-with-workspace-one-uem-authentication-policy-in-workspace-one-access) ## Passwordless Authentication - [Passwordless](https://www.pingidentity.com/en/resources/blog/posts/2021/what-does-passwordless-really-mean.html) authentication is achieved when an authentication factor other than a password is used - A password is a knowledge factor, meaning it's something a user knows - The problem with relying on a knowledge factor alone is that it's vulnerable to theft, sharing, repeat use, misuse, and other risks - In contrast, passwordless authentication relies on a possession factor (something a user has) or an inherent factor (something a user is) to verify user identity with greater assurance -  Passwordless authentication and different vendor strategies: - [Microsoft Passwordless](https://www.microsoft.com/en-us/security/business/identity-access-management/passwordless-authentication) - [Auth0 Passwordless](https://auth0.com/passwordless) - [Okta Passwordless](https://www.okta.com/passwordless-authentication/) - [PingIdentity](https://www.pingidentity.com/en/resources/blog/posts/2021/what-does-passwordless-really-mean.html)