Securing Password Policies

ActivID AS supports a very rich set of password policies to protect the credentials. The following provides some recommendations on the use of a strong password policy.

Configure a Reasonable Password Length and Restrictions

It is important to strike the right balance between security best practices and user convenience. A good guideline on password policy can be found in NIST SP 800-63B-3, another one in ANSSI guidelines.

Configure Password with Lock or Delay Policy

To protect against 'guessing' password attacks, the traditional solution is to lock the password after a certain number of failed attempts. This solution, supported by HID Global, has major downside as it can allow attacker to create DOS attack by entering wrong passwords. It is also less convenient as the keys must be reissued if the password is locked.

It is therefore recommended to leverage the delay policy instead - the user must wait for a short period of time before attempting authentication following a failed attempt. The delay doubles for each failed attempt. The counter is reset on next successful authentication attempt. This is also a recommendation of NIST.

Password Rotation and Password History

Forcing users to change password after a defined interval and keeping a password history prevents users from reusing passwords and makes sure they update their password at regular interval.

You should be careful though as Password expiration is also a source of frustration to users, who are often required to create and remember new passwords every few months for dozens of accounts, They, therefore, tend to choose and use the same few passwords for many accounts, so the policy for password expiry and length of password history should be defined with care to avoid degrading the security.

Note: The latest NIST SP 800-63B-3 guidelines on password authentication, recommends not rotating passwords (one of the rationales being that it is likely to lead users to introduce patterns in their passwords, therefore weakening them).

Default Policy

The HID Global default policy balances security vs usability and can be used as a starting point for defining your own security policy.

It is compliant with the current NIST SP 800-63B-3 and is defined as follows:

Definition Value
Minimum Length Eight (8) characters
Maximum Length 100 characters
Restrictions
  • No constraints in the range of characters allowed
  • No requirement to mix different types of characters

The default restrictions are designed to prevent the use of previous passwords, commonly chosen passwords that appeared in password leaks, a sequence of letters, and rejects passwords that contain the user name or the value of a User Attribute.
Maximum Age 1825 days
Lock Policy Disabled for 900 seconds after five (5) consecutive authentication failures.

Configurable Policy

HID Global realizes that industry recommendations evolve over time and the flexible password configuration can be used to adapt the security requirements as these standards evolves or to address specific customer requirements.

For example, the NIST SP 800-63B-3 standard now does not recommend overly complex password restrictions because they effectively lead to user selecting predictable passwords (such as Password1 if the constraint includes one upper case and one digit). This policy can be achieved by relaxing the restrictions on password accordingly.

User Awareness

Instruct all users to keep their password secure and to never tell anyone their passwords.