The State of Password Security 2022 Report
A report and assessment of security advice from U.S. Federal Agencies.
A report and assessment of security advice from U.S. Federal Agencies.
Recent years have brought an intense focus on cybersecurity across the United States Federal Government with many agencies leading the way in educating government organizations and businesses large and small, as well as consumers.
However, when it comes to password security, not every agency is singing the same tune. One of the foremost groups, the National Institute of Standards and Technology (NIST), offers excellent advice but its recommendations have not yet been universally accepted.
Technology moves fast. For business and individuals, so much of our lives are now online in a myriad of accounts that range from fun entertainment sites to serious financial business like our bank accounts.
The goal of this assessment is to engage and educate everyone who uses passwords on the best practices coming from the federal government and where there is room for improvement. There are many within the federal government who have a solid educational approach to password security, and there are others that might need a bit of assistance to modernize.
Fortunately, consensus is building on best practices for password security. This report consolidates and assesses the details.
Recommends use of a password manager
Calls out importance of strong passwords
Cites need for 2FA/MFA to further support password security
Overall security advice is up-to-date and adheres to NIST guidelines
Lays out password security recommendations in a clear, digestible, and easy-to-find manner
Authenticator Management | Password Managers
Employ [Assignment: Organization-defined password managers] to generate and manage passwords; and
Protect the passwords using [assignment: organization-defined controls].
For systems where static passwords are employed, it is often a challenge to ensure that the passwords are suitably complex and that the same passwords are not employed on multiple systems. A password manager is a solution to this problem as it automatically generates and stores strong and different passwords for various accounts. A potential risk of using password managers is that adversaries can target the collection of passwords generated by the password manager. Therefore, the collection of passwords requires protection including encrypting the passwords and storing the collection offline in a token.
Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length.
Memorized secret verifiers SHALL NOT permit the subscriber to store a “hint” that is accessible to an unauthenticated claimant. Verifiers SHALL NOT prompt subscribers to use specific types of information (e.g., “What was the name of your first pet?”) when choosing memorized secrets.
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:
Passwords obtained from previous breach corpuses.
Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
Context-specific words, such as the name of the service, the username, and derivatives thereof.
If the chosen secret is found in the list, the CSP or verifier SHALL advise the subscriber that they need to select a different secret, SHALL provide the reason for rejection, and SHALL require the subscriber to choose a different value.
Verifiers SHOULD offer guidance to the subscriber, such as a password-strength meter [Meters], to assist the user in choosing a strong memorized secret. This is particularly important following the rejection of a memorized secret on the above list as it discourages trivial modification of listed (and likely very weak) memorized secrets [Blacklists].
Verifiers SHALL implement a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made on the subscriber’s account as described in Section 5.2.2.
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.
Verifiers SHALL store memorized secrets in a form that is resistant to offline attacks. Memorized secrets SHALL be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash. Their purpose is to make each password guessing trial by an attacker who has obtained a password hash file expensive and therefore the cost of a guessing attack high or prohibitive. Examples of suitable key derivation functions include Password-based Key Derivation Function 2 (PBKDF2) [SP 800-132] and Balloon [BALLOON]. A memory-hard function SHOULD be used because it increases the cost of an attack. The key derivation function SHALL use an approved one-way function such as Keyed Hash Message Authentication Code (HMAC) [FIPS 198-1], any approved hash function in SP 800-107, Secure Hash Algorithm 3 (SHA-3) [FIPS 202], CMAC [SP 800-38B] or Keccak Message Authentication Code (KMAC), Customizable SHAKE (cSHAKE), or ParallelHash [SP 800-185]. The chosen output length of the key derivation function SHOULD be the same as the length of the underlying one-way function output.
The salt SHALL be at least 32 bits in length and be chosen arbitrarily so as to minimize salt value collisions among stored hashes. Both the salt value and the resulting hash SHALL be stored for each subscriber using a memorized secret authenticator.
The classic paradigm for authentication systems identifies three factors as the cornerstones of authentication:
Something you know (e.g., a password).
Something you have (e.g., an ID badge or a cryptographic key).
Something you are (e.g., a fingerprint or other biometric data).
MFA refers to the use of more than one of the above factors. The strength of authentication systems is largely determined by the number of factors incorporated by the system — the more factors employed, the more robust the authentication system. For the purposes of these guidelines, using two factors is adequate to meet the highest security requirements.
MFA will generally protect against some common methods of gaining unauthorized account access, such as guessing weak passwords or reusing passwords obtained from a data breach.
Agencies are encouraged to pursue greater use of passwordless multi-factor authentication as they modernize their authentication systems. However, when passwords are in use, they are a “factor” in multi-factor authentication. If outdated password requirements lead agency staff to reuse passwords from their personal life, store passwords insecurely, or otherwise use weak passwords, adversaries will find it much easier to obtain unauthorized account access—even within a system that uses MFA.
Consistent with the practices outlined in SP 800-63B, agencies must remove password policies that require special characters and regular password rotation from all systems within one year of the issuance of this memorandum. These requirements have long been known to lead to weaker passwords in real-world use and should not be employed by the Federal Government. These policies should be removed by agencies as soon as is practical and should not be contingent on adopting other protections.
Change Passwords and Mandate Multi-Factor Authentication (MFA). Ask your IT staff how long it has been since employees changed their passwords. Many criminals use stolen credentials, so forcing a reset (with adequate length and complexity) before the holidays can deny malicious actors access to your systems. At the same time, confirm that your organization has implemented MFA and that it is required without exception. If you have MFA available, but are not requiring it, change that – require all staff to use the security technology that you have already acquired. MFA significantly reduces your risk from almost all opportunistic attempts to gain entry into key systems.
Amazon announced it will make available to the public at no charge the security awareness training it offers its employees. Amazon also announced it will make available to all Amazon Web Services account holders at no additional cost, a multi-factor authentication device to protect against cybersecurity threats like phishing and password theft.
Implement the five best practices from the President’s Executive Order: President Biden’s Improving the Nation’s Cybersecurity Executive Order is being implemented with speed and urgency across the Federal Government. We’re leading by example because these five best practices are high impact: multi-factor authentication (because passwords alone are routinely compromised), endpoint detection & response (to hunt for malicious activity on a network and block it), encryption (so if data is stolen, it is unusable) and a skilled, empowered security team (to patch rapidly, and share and incorporate threat information in your defenses). These practices will significantly reduce the risk of a successful cyberattack.
Identify IT security employees for weekends and holidays who would be available to surge during these times in the event of an incident or ransomware attack.
Implement multi-factor authentication for remote access and administrative accounts.
Mandate strong passwords and ensure they are not reused across multiple accounts.
If you use remote desktop protocol (RDP) or any other potentially risky service, ensure it is secure and monitored.
Remind employees not to click on suspicious links, and conduct exercises to raise awareness.
Increase organizational vigilance by ensuring there are no gaps in Information Technology (IT)/Operational Technology (OT) security personnel coverage and that staff provides continual monitoring for all types of anomalous behavior. Security coverage is particularly important during the winter holiday season when organizations typically have lower staffing.
Prepare your organization for rapid response by adopting a state of heightened awareness. Create, update, or review your cyber incident response procedures and ensure your personnel are familiar with the key steps they need to take during and following an incident. Have staff check reporting processes and exercise continuity of operations plans to test your ability to operate key functions in an IT-constrained or otherwise degraded environment. Consider your organization’s cross-sector dependencies and the impact that a potential incident at your organization may have on other sectors, as well as how an incident at those sectors could affect your organization.
Ensure your network defenders implement cybersecurity best practices. Enforce multi-factor authentication and strong passwords, install software updates (prioritizing known exploited vulnerabilities), and secure accounts and credentials.
Stay informed about current cybersecurity threats and malicious techniques. Encourage your IT/OT security staff to subscribe to CISA’s mailing list and feeds to receive notifications when CISA releases information about a security topic or threat.
Lower the threshold for threat and information sharing. Immediately report cybersecurity incidents and anomalous activity to CISA and/or the FBI.
The rise in the number of compromises of network infrastructures in recent years is a reminder that authentication to network devices is an important consideration. Network devices could be compromised due to:
Poor password choice (vulnerable to brute force password spraying)
Router configuration files (which contain hashed passwords) sent via unencrypted email, or
Reused passwords (where passwords recovered from a compromised device can then be used to compromise other devices).
Using passwords by themselves increases the risk of device exploitation. While NSA strongly recommends multi-factor authentication for administrators managing critical devices, sometimes passwords alone must be used. Choosing good password storage algorithms can make exploitation much more difficult.
To provide as much protection as possible, use strong passwords to prevent them from being cracked and converted to plaintext. Comply with a password policy that:
Consists of a combination of lowercase and uppercase letters, symbols, and numbers;
Is at least 15 alphanumeric characters; and
Patterns that are not:
A keyboard walk
The same as a user name
The default password
The same as a password used anywhere else
Related to the network, organization, location, or other function identifiers
Straight from a dictionary, common acronyms, or easy to guess
The importance of implementing password security for Cisco network devices will greatly decrease the chances of any network being compromised. If one is mindful of the hash and encryption algorithms that are available within Cisco devices, more secure configurations can be set to prevent password exposure as follows:
Use password Type 8. Do not use Types 0, 4, and 7. Only use Type 5 when Types 6, 8, and 9 are not available, and upgrade hardware and software to support modern hash algorithms. Use password Type 6 when reversible encryption must be used.
Use strong password policies to get into privilege EXEC mode. Along with using strong password hash and encryption algorithms, creating a password that is very difficult to guess can prevent a network compromise. A complex password can prevent an unauthorized user from gaining elevated privileges and exposing the configuration file.
Use privilege levels. Do not apply level 15 to all user accounts. Provision various privileged levels to user accounts and commands based on user roles.
Secure and strengthen your passwords Use unique and strong passwords for each online account. Reusing passwords across multiple accounts can expose data from all of the accounts if the password is discovered. Make sure that your password is of adequate length and complexity, using a combination of letters, numbers, and special characters. Where possible, implement multi-factor authentication using an authentication token or app so that someone can’t U/OO/ | PP-19-1728 and PP-20-0535 | AUG 2021 Ver 1.1 5 NSA | Keeping Safe on Social Media access your account even if your password is compromised. Never share passwords and avoid using information that could be guessed based on your social media profiles or public information.
Use strong lock-screen pins/passwords: a 6-digit PIN is sufficient if the device wipes itself after 10 incorrect password attempts. Set the device to lock automatically after 5 minutes.
Single response, multi-factor authentication mechanisms require activation of the device, either with a PIN/password or biometric. The device provides ‘what you have’ and activation of the device implies that ‘what-you-know’ or ‘what-you-are’ has been verified.
On the other hand, multi-step authenticators often include a password to provide ‘what-you-know’ and another authenticator that provides ‘what-you-have’. U.S. Government agencies should consider requirements for PIN/password activation as well as for the passwords that are used directly to provide ‘what-you-know’. Guidelines in SP 800-63-3 Part B indicate that memorized secrets (both for activation and as a single factor authenticator) must be at least 6-to-8 characters, and recommends higher password strength for user selected passwords. When determining password requirements, note that multi-factor devices should integrate strict thresholds to address password guessing attacks, whereas verifiers might employ less stringent threshold mechanisms that warrant passwords that are used directly have higher strength requirements.
CISA falls under the DHS
President Biden has made cybersecurity, a critical element of the Department of Homeland Security’s (DHS) mission, a top priority for the Biden-Harris Administration at all levels of government.
To advance the President’s commitment, and to reflect that enhancing the nation’s cybersecurity resilience is a top priority for DHS, Secretary Mayorkas issued a call for action dedicated to cybersecurity in his first month in office. This call for action focused on tackling the immediate threat of ransomware and on building a more robust and diverse workforce.
In March 2021, Secretary Mayorkas outlined his broader vision and a roadmap for the Department’s cybersecurity efforts in a virtual address hosted by RSA Conference, in partnership with Hampton University and the Girl Scouts of the USA.
After his presentation, the Secretary was joined by Judith Batty, Interim CEO of the Girls Scouts, for a fireside chat to discuss the unprecedented cybersecurity challenges currently facing the United States. Dr. Chutima Boonthum-Denecke from Hampton University’s Computer Science Department introduced the Secretary and facilitated a Q&A to close the program.
Keep Your Firewall Turned On
A firewall helps protect your computer from hackers who might try to gain access to crash it, delete information, or even steal passwords or other sensitive information. Software firewalls are widely recommended for single computers. The software is prepackaged on some operating systems or can be purchased for individual computers. For multiple networked computers, hardware routers typically provide firewall protection.
Install or Update Your Antivirus Software
Antivirus software is designed to prevent malicious software programs from embedding on your computer. If it detects malicious code, like a virus or a worm, it works to disarm or remove it. Viruses can infect computers without users’ knowledge. Most types of antivirus software can be set up to update automatically.
Install or Update Your Antispyware Technology
Spyware is just what it sounds like—software that is surreptitiously installed on your computer to let others peer into your activities on the computer. Some spyware collects information about you without your consent or produces unwanted pop-up ads on your web browser. Some operating systems offer free spyware protection, and inexpensive software is readily available for download on the Internet or at your local computer store. Be wary of ads on the Internet offering downloadable antispyware—in some cases these products may be fake and may actually contain spyware or other malicious code. It’s like buying groceries—shop where you trust.
Keep Your Operating System Up to Date
Computer operating systems are periodically updated to stay in tune with technology requirements and to fix security holes. Be sure to install the updates to ensure your computer has the latest protection.
Be Careful What You Download
Carelessly downloading email attachments can circumvent even the most vigilant anti-virus software. Never open an e-mail attachment from someone you don’t know, and be wary of forwarded attachments from people you do know. They may have unwittingly advanced malicious code.
Turn Off Your Computer
With the growth of high-speed Internet connections, many opt to leave their computers on and ready for action. The downside is that being “always on” renders computers more susceptible. Beyond firewall protection, which is designed to fend off unwanted attacks, turning the computer off effectively severs an attacker’s connection—be it spyware or a botnet that employs your computer’s resources to reach out to other unwitting users.
Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.
Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
Be especially wary if the requestor is pressing you to act quickly.
NIST falls under the Department of Commerce
Ensuring the security of our interconnected global networks, and the devices and data connected to those networks is one of the defining challenges of our era.
The Department of Commerce is tasked with enhancing cybersecurity awareness and protections, protecting privacy, maintaining public safety, supporting economic and national security, and empowering Americans to better manage their safety online.
The FCC’s responsibility is to ensure the reliability and resiliency of the Nation’s communications network and to promote public safety through communications. The FCC, because of its relationship with the nation’s communications network service providers, is particularly well positioned to work with industry to secure the networks upon which the Internet depends.
Over the years, the FCC has worked through its Federal Advisory Committee, the Communications Security, Reliability, and Interoperability Council – CSRIC – to develop voluntary industry wide best practices that promote reliable networks, including for 911 calling. CSRIC and its working groups are made up of industry leaders, academics, and innovators in communications, Federal partners, public safety entities, state and local government officials, and Internet registries.
CSRIC will release a series of recommendations in March 2012 to address the most pressing threats to our cyber security, and suggest frameworks for possible solutions. We believe the most pressing cyber security threats are botnets, domain name fraud, and Internet route hijacking.
Train employees in security principles. Establish basic security practices and policies for employees, such as requiring strong passwords and establish appropriate Internet use guidelines, that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.
Require employees to use unique passwords and change passwords every three months. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account.
There are many steps you can take to stay safe online, but the simplest action with the most significant and immediate impact on your security is to use a password manager. Choose a cross-platform password manager with zero knowledge end-to-end encryption that can generate and store unlimited unique and strong passwords. You can get started with Bitwarden on a free account or opt for Premium for less than $10/year to get advanced features like 2FA and Emergency Access.