Privileged passwords should be used wisely. These credentials, also called secrets, provide a user with access to protected accounts, systems, networking hardware, cloud instances, and applications. Since privileged accounts also have elevated permissions, passwords to these accounts are often targeted by cybercriminals. In fact, weak, reused, and compromised passwords are the cause of 81% of all data breaches according to the Verizon 2019 Data Breach Investigations Report.
One way to secure privileged passwords is by creating and following a sophisticated password policy within your organization. In this article, we provide a set of short privileged password security checklists for compliance with four key laws, regulations, and standards:
- National Institute for Standards and Technology (NIST) Special Publication 800-63
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
- General Data Protection Regulation (GDPR)
Why is it vital to have a password policy?
Take the first step towards securing your critical assets.
There’s always room for improvement when it comes to protecting privileged credentials. In today’s organizations, even privileged passwords are often handled inappropriately.
A password policy is your key to addressing this problem. It’s not just a bureaucratic document needed for successfully passing a security audit, as some might see it. A password policy establishes specific rules, best practices, and tools that can help your organization manage user credentials efficiently and securely. And while it doesn’t eliminate the risk of a data breach completely, a password policy is helpful for improving the protection of your most valuable assets.
There are four main benefits of having a well-thought-out password policy.
But to get the most out of your secrets management policy, you need to know exactly what criteria to meet. In the next section, we summarize privileged account password policy compliance requirements of four key security standards, laws, and regulations.
Password policy compliance checklist
Keeping your passwords secure isn’t that difficult.
Depending on your location and the industry you’re in, your organization may be subject to different regulations, acts, and standards.
Documents with a bearing on password policies contain both requirements and recommendations. In this article, we take a look at the four most widely referenced cybersecurity documents:
These documents were chosen because they provide the most detailed and specific requirements for password management and are often used as the core of other regulations and standards.
NIST Special Publication 800-63
Updated in 2019, NIST Special Publication 800-63 is the key standard to look to when it comes to password security. It provides detailed cybersecurity guidelines that are obligatory for US federal agencies. Other organizations and enterprises can also implement NIST recommendations to improve their cybersecurity.
When it comes to NIST compliance, a password policy is one of the key tools that an organization can use to meet all the requirements of this standard. Furthermore, NIST sets core password security criteria, which are often applied by acts such as HIPAA and FISMA.
When creating a password policy for NIST compliance, follow these password requirements:
- Eight or more characters when created by humans
- Six or more characters when generated by a service or system
- Maximum length of at least 64 characters
- Periodic password changes are no longer mandatory
- At least ten login attempts for user-entered passwords before blocking the account
- No password hints
- No codes for multi-factor authentication (MFA)
- No knowledge-based authentication (such as secret questions)
- Support for all ASCII characters (including space)*
- Check passwords against password dictionaries and databases**
* Previously, the use of special characters was one of the criteria for a complex, strong password. Since the 2019 update, NIST no longer requires the use of special characters.
** You can use special services and open dictionaries or create your own database of weak passwords that should be prohibited. Such a database should include both easy-to-guess and default passwords.
HIPAA is the key cybersecurity standard for all US organizations that deal with protected health information (PHI). The list of such organizations includes healthcare providers, health insurers, caregivers, and subcontractors with access to PHI.
HIPAA compliance password policy requirements are explained in the Administrative Safeguards section of the HIPAA Security Rule. Their goal is to limit access to and avoid any possibility for the disclosure of PHI. Most of these requirements match those put forward by NIST.
Note: HIPAA compliance for password security is addressable, meaning you can implement any alternative solutions or measures that allow your organization to accomplish the same level of data security.
The key HIPAA privileged user and password security requirements are the following:
- Passwords should be at least eight characters in length
- Passwords should use uppercase and lowercase letters, special characters, and numbers
- Passwords should be changed every 60 to 90 days
- Restrict password reuse
- Implement the principle of least privilege
- Assign a unique identifier (ID) for every user
Additionally, HIPAA suggests implementing a special procedure for emergency access to restricted data. However, emergency access should only be enabled with proper controls in place to minimize the risk of data leaks or misuse.
PCI DSS is a set of policies and protocols established by the PCI Security Standards Council (SSC) for ensuring the security and protection of cardholder payment data. Complying with PCI DSS requirements is a must for all organizations that work with cardholder data from Visa and Mastercard payment systems.
As of the date of this article’s publication, the latest released version of the PCI DSS standard was PCI DSS 3.2.1 [PDF].
All password security criteria can be found in Requirement 8 of this document. Here are some of the most important requirements:
- Assign a unique ID to every user with access to critical data
- Protect secrets in transit and at rest with encryption and strong authentication methods
- Apply multi-factor authentication (MFA) for administrative access
- Restrict password sharing
- Restrict the use of default passwords
- Restrict the reuse of passwords across customer environments
- Restrict direct or query access to all cardholder databases for everyone except database administrators
Note that PCI DSS specifies that applying two similar authentication methods, such as two passwords, isn’t considered true MFA. To learn more about what true MFA is and how to implement it, read our article on categories, methods, and tasks of two-factor authentication.
The GDPR regulates the way personal data of European Union residents is handled. And since many organizations worldwide have customers in the European Union, they must comply with the requirements of the GDPR.
In 2019, the German Conference of Data Protection Authorities (Datenschutzkonferenz) released a paper with detailed guidance on how to ensure password security and comply with GDPR requirements. They outlined the following recommendations for a GDPR compliant password policy:
- Passwords should be at least ten characters in length
- Passwords should use numbers and special characters
- Don’t use weak, default, or compromised credentials
- Require password changes in the case of a data breach
- Block a user account if there is a high number of failed login attempts (the exact number isn’t specified)
- Block login attempts if the same password is used to log in to different accounts
- Use MFA or one-time passwords for accessing critical systems and data
- Encrypt secrets in transit and at rest
- Require secure authentication for password resets
Note that these recommendations are provided by German experts and are not part of the official set of GDPR requirements. However, they can make it easier for you to evaluate your secrets management activities and implement an appropriate password policy for GDPR compliance.
Meet cybersecurity requirements with Ekran System
Ekran System is the ultimate insider threat protection platform that can help you meet the requirements of key regional and industry-specific security standards, including NIST 800-53, FISMA, HIPAA, PCI DSS, and the GDPR.
With Ekran System’s rich set of access and identity management features, organizations can:
- Effectively apply the principle of least privilege
- Secure regular and privileged accounts
- Ensure user identity verification
The Ekran platform also offers a variety of features for enhancing the protection of critical assets and making sure only authorized users can access your most valuable data.
|Ekran System — Key features for IT compliance|
To make passing compliance audits even easier, Ekran System allows you to generate and export various types of reports.
Having a password policy is a practice recommended or required by many security standards and regulations. When building such a policy for your organization, it’s important to pay special attention to securing privileged accounts, as they’re often the target of hackers.
The list of regulations and standards you need to comply with depends on various factors, including your geographical location, the industry you’re working in, and even where your customers are located. However, there are four documents you need to pay special attention to: NIST 800-63, PCI DSS, HIPAA, and the GDPR.
Ekran System can help you ensure privileged account password security compliance, protect both regular and privileged accounts, and efficiently manage all types of secrets.