The strength of a password is determined by some restrictions - like minimum length, password age, use of multiple type and special characters, and reuse restrictions - which determines the average number of guesses an attacker must try to guess the password and ease with which the attacker can test the validity of the guessed password.
A passphrase is just a different way of thinking about a "secret" or "something you know". The main difference is that a passphrase is longer. While a usual password is 8 to 10 characters long, a passphrase can be twice as long. Compared to passwords, a passphrase is generally stronger because it is more memorable than passwords thus reducing the need to write them down, they make some types of brute force attacks impractical since they are much longer than passwords, and they make phrase or quote dictionary attacks almost impossible if the passphrase is well constructed.
When a service account is used, a strong password utilizing upper and lower case letters, numbers, and special characters should be utilized. The service accounts utilized should be tracked. The documentation needs to include which service account is utilized for each application or service. There will be a time that the password will have to be changed because of employee terminations or employee reassignments. Knowing what will be affected and what needs to be changed when the password has to be changed will prevent unexpected downtime of services or applications.
Use different accounts and passwords for different levels of access.
Some people have more than one account across their enterprise, or utilize one set of work logins, and another set of personal logins. (e.g., work vs personal; shopping, and banking vs casual email and Facebook; applications that contain confidential information vs those that do not, etc.) If you have more than one account to access work related systems, you should utilize different passwords. For example, for a general level of access, you have one account such as jsmith. For elevated privileges for a special system, you have another account named jsmithVIP. It is best practice to use a different password for each account. This way, if one account is compromised, the other account is still secure.
For personal (home use) of computer resources or Internet sites, you should always use a personal account and a different password than used for work related accounts.
Do NOT share passwords or digital certificate passwords used for digital signatures.
Users have responsibilities toward protecting issued credentials. Credentials must be kept confidential to help prevent the unauthorized disclosure of sensitive information under a users’ care. Users should not try to circumvent password entry though the use of auto logon, application “remember password” features, or hard-coded passwords in client software.
Email users need to be vigilant of not falling victim to PHISH emails. Users should learn their institution’s practices of requiring password changes and how to check if an email is a valid email before responding to or clicking on links in an email.
Use multi-factor authentication whenever possible.
Multi-factor authentication (MFA) is the use of technology to help identify the person logging in besides just the use of a password. It includes other evidence (factors) to the user’s identity. There are three categories of authentication:
Something you know Something you have Something you are
MFA is utilizing two or all three categories of evidence to gain access to a system. For example, a password or pin would be something you know; a Smartphone or token would be something you have; a fingerprint or retinal scan would be something you are.
Bank ATM’s having been utilizing two factor authentication for some time – a PIN being something the customer knows, and the ATM card being something the customer has.
Due to the nature of passwords, even strong passwords, being compromised, MFA is what institutions should implement to protect digital assets.
For password management, do not allow cleartext transmission, storage or capture of passwords, maintain audit trails, and lock the account after repeated unsuccessful attempts.
Passwords should not be sent cleartext to an authentication site. In addition, passwords should never be stored in cleartext in case the password file is compromised.
Audit trails can provide information when doing investigations of authenticated credentials used to access a system or file.
Locking accounts after a pre-determined number of failed authentication attempts can thwart a brute force attack on accounts.
What we do here
UNL has numerous resources to manage passwords and to stay up to date on news from the ITS security team. For information about UNL identity and password management, visit http://idm.unl.edu/.