☑️Password Management

Password Policy Standards

Some security standards include a section for password policies or password guidelines. Here is a list of the most common:

1. NIST SP800-63B

2. CIS Password Policy Guide

3. PCI DSS

We can use those standards to understand different perspectives of password policies. After that, we can use this information to create our password policy.

Password Policy Recommendations

Let us create a sample password policy to illustrate some important things to keep in mind while creating a password policy. Our sample password policy indicates that all passwords should:

• Minimum of 8 characters.

• Include uppercase and lowercase letters.

• Include at least one number.

• Include at least one special character.

• It should not be the username.

• It should be changed every 60 days.

Local Password Managers

The most popular local password managers are:

1. KeePass

2. KWalletManager

3. Pleasant Password Server

4. Password Safe

Alternatives

Some of the most common ways to secure identities beyond passwords are:

1. Multi-factor Authentication.

2. FIDO2 open authentication standard, which enables users to leverage common devices like Yubikey, to authenticate easily. For a more extended device list, you can see Microsoft FIDO2 security key providers.

3. One-Time Password (OTP).

4. Time-based one-time password (TOTP).

5. IP restriction.

6. Device Compliance. Examples: Endpoint Manager or Workspace ONE

Passwordless

As new technology and standards evolve, we need to investigate and understand the details of its implementation to understand if those alternatives will or not provide the security we need for the authentication process. You can read more about Passwordless authentication and different vendors' strategies:

1. Microsoft Passwordless

2. Auth0 Passwordless

3. Okta Passwordless

4. PingIdentity