Security Best Practices

Tips & Key Concepts

Login Credentials

The login process consists of two intertwined concepts: identification and authentication. Identification is the process of claiming an identity, whereas authentication is the process of proving an identity. The username assigned to the user by the organization, then, is the user’s identification, and the system password authenticates, or provides proof of the claimed identity. Together, the username and password comprise the login credentials. In order to have secure login credentials, passwords should:

• Comply with the organization’s policies and procedures
• Be long and strong
• Be memorable to the user
• Not be revealed or shared with anybody
• Be unique across all systems

Memorized Secret

Instead of the term password, NIST suggests memorized secret. The idea and anatomy of a memorized secret consists of the following:

• Length is strength – Eight (8) character minimum, when set by a human, and sixty-four (64) character maximum.
• Support all characters – The difference between a weak password and a strong password is the number of characters (i.e., upper- and lower-case letters, numbers, and special characters) available, and hence the number of possible combinations available to construct a password based on those characters. 
• No password expiration period – Many studies have shown that users tend to choose weaker passwords when they know they have to change them in the near future.
• No password composition rules – Even though the full character set should be supported, requiring users to compose their passwords using lower-case, upper-case, digits, and/or special characters is no longer recommended. Imposing composition rules provides less benefit than might be expected, because users tend to use predictable methods for satisfying these requirements – often referred to as leekspeak .

Passphrase

Because trying to remember passwords or memorized secrets for every system can be a daunting task, one recommendation that may help with making passwords more memorable is to use passphrases. A passphrase is similar to a password in usage, but is generally longer and easier to remember, because it has meaning to the user. A passphrase is comprised of a multiple-word phrase that is created with a secret strategy, which allows the user to picture the passphrase as a mental image.

An example would be using the first 3 letters of each word in “Sherlock Holmes 221B Baker Street.”

The result is this passphrase: SheHol221BakStr (DO NOT use this passphrase) A Sherlock Holmes buff would find this passphrase easy to remember. It also complies with the NIST Digital Identity Guidelines, while also being difficult for the bad actors to crack.

Multi-Factor Authentication

Authentication with the password/passphrase is based on something the user knows. This is considered one factor of authentication. There are two additional possible factors of authentication:

1. Something the user has, such as a smart card or token, or
2. Something the user is, such as their fingerprints, voice patterns, facial recognition, or eye patterns Using two (or more) methods of authentication in tandem, to verify a user’s identity, creates a layered defense and makes it more difficult for an unauthorized person to access the system. In other words, if one factor is compromised or broken, the bad actor still has at least one more barrier to circumvent before successfully gaining access to the system.

Single Sign-On

As mentioned earlier, an important guideline for strong passwords is to have a unique password for each application you access. In addition to using passphrases to remember login credentials, there are other tools that can help. Single sign-on (SSO) is an authentication service, for example, that allows an end user to input their login credentials once and be able to access multiple applications.

Enterprise Health recommends that our clients use SSO with the security assertion markup language (SAML). For more information, please refer to the Online Product Documentation .