PCI Requirement 8: Combatting Weak Passwords and Usernames
Complying with PCI DSS Requirement 8: what you need to do.
By: Jen Stone CISSP, QSA |
Here are a few things you should do, along with some tips to increase security.
Use unique usernames and passwords
It’s important to use different passwords for different services. This way, if one service iscompromised, your credentials can’t be used to access information from other services.
From a business perspective, merchants must implement unique usernames. When people share usernames, they also share passwords, which means the credentials are no longer secret, making shared accounts much more vulnerable to social engineering attacks. On top of this, businesses can’t identify exactly who performed a specific action in their systems when a pool of people share a single set of credentials.
Set lockout rules
PCI requires accounts to be locked after six consecutive failed login attempts. Accounts must stay locked for thirty minutes, or until a system administrator resets the account. This helps prevent several kinds of brute-force attacks. If an attacker only has six chances to guess the correct password, their attempts will likely fail. Once locked out, they will move on to an easier target.SEE ALSO: 5 Tips to Boost Your Business’s Physical Security
Use complex passwords
If a password isn’t sufficiently complex, it’s much easier for an attacker to gain access to an environment. An attacker may try a brute-force attack against a system by entering multiple passwords (via an automated tool entering thousands of passwords within a matter of seconds) until one works.The PCI standard requires your passwords have at least 7 characters, including an upper- and lower-case letter. Other standards recommend requiring longer passwords and adding numbers and special characters. Passwords that fall short of these criteria can easily be broken using a password-cracking tool.
In practice, the longer the password and more character formats, the more difficult it will be for an attacker to crack a password.
SEE ALSO: How to Do Passwords Right: Password Management Best Practices
Try using a pass phrase instead of a password
To beef up both personal and business data security, many have turned to using pass phrases instead of passwords. While passwords are strings of around 10 letters, numbers and symbols, (e.g., "2GetherForever1979!"), pass phrases are groups of words with spaces in between, e.g., "We Never Drove Past Albuquerque?"
A pass phrase can contain symbols, upper- and lower-case letters, and does not have to make sense grammatically. Pass phrases are generally easier to remember, but harder to crack than passwords. More about passwords and pass phrases:
- Pass phrases contain words and spaces. Passwords are strings of letters, numbers, and symbols around 10 characters long.
- Pass phrases are generally longer than passwords.
- Pass phrases can be made more complex and secure by using symbols, numbers, and upper-/lower-case letters.
- Major Operating Systems (Mac, Windows, Linux) allow for pass phrases of up to 127 characters long.
- Even advanced password-cracking software would have a next-to-impossible time cracking pass phrases.
Implement multi-factor authentication
System security should not be based solely on the complexity of a single password. No password should be considered uncrackable. That’s why implementing multi-factor authentication is an important part of securing remote access, and it’s a requirement under PCI DSS.Configuring multi-factor authentication requires at least two of the following three factors:
- Something only you know (e.g., a username and password, PIN)
- Something only you have (e.g., hardware token, smartcard)
- Something only you are (e.g., fingerprint, ocular scan)
- The remote user enters their username and password, and then must enter a one-time password (OTP) sent to them on their smartphone.
- The remote user enters their username and password, and then must use a unique dynamic number found on an RSA SecureID token.
Your authentication mechanisms should be independent of each other (e.g., physical separation). This is so access to one factor does not grant access to another. Reason being: if one factor is compromised, it does not affect the integrity and/or confidentiality of any other factor.
Need help getting PCI compliant? Talk to us!
Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.