forked from sr2/www.sr2.uk
148 lines
8.3 KiB
Text
148 lines
8.3 KiB
Text
|
<h1>Passwords and Authentication Policy</h1>
|
|||
|
|
<pre class="metadata">
|
|||
|
|
Status: DREAM
|
|||
|
|
Local Boilerplate: header yes, copyright yes, defaults yes
|
|||
|
|
Boilerplate: status no
|
|||
|
|
TR: https://www.sr2.uk/policies/password-auth/
|
|||
|
|
Shortname: password-auth
|
|||
|
|
Complain About: accidental-2119 yes
|
|||
|
|
No Editor: true
|
|||
|
|
!Version: 1.0
|
|||
|
|
Abstract: A policy defining an effective authentication management procedures when conducting company-related business.
|
|||
|
|
</pre>
|
|||
|
|
|
|||
|
|
# Objective # {#objective}
|
|||
|
|
|
|||
|
|
This policy defines an effective authentication management procedures when conducting company-related business and
|
|||
|
|
includes the:
|
|||
|
|
|
|||
|
|
* issuing and selection of strong authentication methods and credentials;
|
|||
|
|
* protection of secret authentication credentials;
|
|||
|
|
* frequency of change in terms of authentication credentials;
|
|||
|
|
* reporting of any suspected breach or lost authentication credentials;
|
|||
|
|
* use of authentication methods with third party systems (including cloud technology).
|
|||
|
|
|
|||
|
|
Authentication is a key method of securing our information – choosing weak authentication methods, or failing to keep
|
|||
|
|
the authentication credentials secure, places the confidentiality of our data at risk.
|
|||
|
|
|
|||
|
|
# Scope # {#scope}
|
|||
|
|
|
|||
|
|
The scope of the policy covers all individuals either employed or contracted to work with or for the company, either
|
|||
|
|
in-office or remotely.
|
|||
|
|
|
|||
|
|
# Definitions # {#definitions}
|
|||
|
|
|
|||
|
|
: Authentication method
|
|||
|
|
:: Any method by which a user may authenticate themselves in order to gain access to a location, data or service, such
|
|||
|
|
as text entry (e.g. passwords, passphrases, PINs), biometrics (e.g. fingerprints), etc.
|
|||
|
|
: Authentication credentials
|
|||
|
|
:: The specific data or information used by a user to authenticate themselves, including but not limited to passwords,
|
|||
|
|
passphrases, PINs, and biometric data.
|
|||
|
|
: Multi-Factor Authentication (MFA)
|
|||
|
|
:: An authentication method that requires the user to provide two or more verification factors to gain access, such as
|
|||
|
|
something they know (e.g., password), something they have (e.g., a security token or mobile device), and/or
|
|||
|
|
something they are (e.g., biometric data).
|
|||
|
|
: Cloud-based system
|
|||
|
|
:: A service or platform hosted over the internet that allows users to access data, applications and services remotely.
|
|||
|
|
: Password manager
|
|||
|
|
:: A software product used for the secure storage of passwords, which must be approved for use, and includes functions
|
|||
|
|
for generating strong passwords compliant with this policy.
|
|||
|
|
|
|||
|
|
# Policy # {#policy}
|
|||
|
|
|
|||
|
|
Authentication method covers any methods by which a user may authenticate themselves in order to gain access to a
|
|||
|
|
location, data or service, such as text entry (e.g. passwords, passphrases, PINs), biometrics (e.g. fingerprints), etc.
|
|||
|
|
The company ensures that authentication credentials are kept confidential by:
|
|||
|
|
|
|||
|
|
- storing authentication credentials in a secure manner;
|
|||
|
|
- changing manufacturer default authentication credentials and disabling guest accounts on all equipment;
|
|||
|
|
- issuing new users with temporary authentication credentials, which must be changed at first login to a stronger
|
|||
|
|
alternative (defined later);
|
|||
|
|
- authentication credentials issued to new users are done so in a secure manner (e.g. never in clear text via an email);
|
|||
|
|
- changing all multi-user credentials (e.g. for communal equipment) used by an employee in the event that their
|
|||
|
|
employment ends;
|
|||
|
|
- ensuring that access to user credentials is limited to ICT administrators for the purpose of resetting, revoking or
|
|||
|
|
problem resolution – authentication methods may only be reset once the identity of the user has been verified;
|
|||
|
|
- locking accounts after 5 failed login attempts in order to dissuade brute-forcing attempts;
|
|||
|
|
- training staff in the use of digital password managers, and the risks of storing passwords in any other form (such as
|
|||
|
|
a notebook at their workstation, or Post-It note).
|
|||
|
|
|
|||
|
|
Users must ensure that they do all they can to maintain the confidentiality of their authentication credentials by
|
|||
|
|
never:
|
|||
|
|
|
|||
|
|
- using company authentication credentials for any other account they hold (including personal accounts such as home
|
|||
|
|
utilities, email, online shopping services, etc);
|
|||
|
|
- having a physical copy of their credentials;
|
|||
|
|
- using a non-approved method for password generation;
|
|||
|
|
- entering authentication credentials on non-company equipment (for example, home or public access PCs);
|
|||
|
|
- revealing authentication credentials to anyone, including line managers, unless relaying information on temporary
|
|||
|
|
credentials which are changed immediately upon next login. This includes never
|
|||
|
|
sharing authentication credentials with co-workers (e.g. whilst on annual leave);
|
|||
|
|
- discussing authentication credentials in front of others.
|
|||
|
|
|
|||
|
|
## Password Authentication ## {#passwords}
|
|||
|
|
|
|||
|
|
Many services and policies only allow for password authentication methods, and so they are given a special focus here.
|
|||
|
|
Strong passwords MUST be used for authentication. The company defines a strong password as one generated by one of two
|
|||
|
|
processes: random string generation by a password manager or using diceware [[!EFF-DICE]].
|
|||
|
|
|
|||
|
|
Where a password is to be stored in a password manager, it MUST be randomly generated by the password manager with the
|
|||
|
|
parameters:
|
|||
|
|
|
|||
|
|
- having a minimum number of 14 characters in length;
|
|||
|
|
- using longer passwords where permitted by the service;
|
|||
|
|
- including a mixture of numbers, upper and lower case letters, and special characters.
|
|||
|
|
|
|||
|
|
Where special characters are not possible due to technical restrictions, the minimum length is 20 characters.
|
|||
|
|
|
|||
|
|
For the avoidance of doubt, weak passwords must never be used. Weak, text-based authentication credentials generally
|
|||
|
|
have one or more of the following characteristics:
|
|||
|
|
|
|||
|
|
- credential is the same, or partly the same, as the username;
|
|||
|
|
- names of family members, friends, or pets are used;
|
|||
|
|
- personal information about yourself or family members which can be easily found from social networking sites,
|
|||
|
|
including date of birth, phone number, street name, etc.;
|
|||
|
|
- consecutive alphanumeric characters or keys on the keyboard, such as ‘abc123’ or ‘qwerty’;
|
|||
|
|
- dictionary words including the inclusion of a number or character at the start or end or substituting numbers or
|
|||
|
|
punctuation for letters, for example, ‘P@55w0rd’;
|
|||
|
|
- a known word from any language (which may not be in a dictionary).
|
|||
|
|
|
|||
|
|
For passwords that are intended to be memorised, the MUST be generated using diceware. The above restrictions likely
|
|||
|
|
will not be met using this method as the intention is to provide a strong password that is easy to remember, and the
|
|||
|
|
strength comes from the underlying dice rolls. Any other method of generating a passphrase MUST NOT be used even if it
|
|||
|
|
results in one that bears similarity to a diceware-generated passphrase.
|
|||
|
|
|
|||
|
|
Memorised passphrases generated with diceware SHOULD be used for:
|
|||
|
|
|
|||
|
|
- end-user device login passphrase;
|
|||
|
|
- password manager decryption passphrase.
|
|||
|
|
|
|||
|
|
## Multi-Factor Authentication ## {#mfa}
|
|||
|
|
|
|||
|
|
Wherever the option is offered by a given service or piece of software, multi-factor authentication is to be used (e.g.
|
|||
|
|
a fingerprint and a passphrase, or a voice sample, PIN and verification SMS).
|
|||
|
|
|
|||
|
|
Where a hardware token is in use to authenticate to a system without a password, the token itself MUST be secured with
|
|||
|
|
a memorised PIN of at least 6 digits.
|
|||
|
|
|
|||
|
|
## Credentials for Cloud-Based Systems and Online Portals ## {#cloud}
|
|||
|
|
|
|||
|
|
It is to be remembered that the company makes use of cloud-based technology and online portals, which may not enforce
|
|||
|
|
strong authentication credentials. It is therefore up to the individual to ensure a good authentication regime is
|
|||
|
|
maintained, which is as strong as that used within the organisation. In line with the company’s "Internet Use
|
|||
|
|
Policy", users shall:
|
|||
|
|
|
|||
|
|
- not create an online account for business purposes without authorisation from a director;
|
|||
|
|
- advise a director when there is no longer a need to have the online account in order to ensure that it is
|
|||
|
|
removed.
|
|||
|
|
|
|||
|
|
## Credential Compromise Policy ## {#compromise}
|
|||
|
|
|
|||
|
|
In the event of a credential compromise, users SHALL take immediate action to secure the account by resetting or
|
|||
|
|
invalidating the credentials and report the incident to a director as soon as practical.
|
|||
|
|
It is policy that any password compromise event will be shared with CiviCERT members via the MISP platform to allow for
|
|||
|
|
shared learning from the incident.
|
|||
|
|
Directors will be responsible for determining if a data breach notification is necessary to our clients or to the
|
|||
|
|
Information Commissioners Office.
|
|||
|
|
|