Password protection is probably the most important and easiest way to protect the security of your confidential and sensitive customer data. Yet time and again we see confidential data on systems with either weak passwords or, in some cases, no password protection at all!
The PCI Data Security Standards are very specific about password rules, but those rules are also very consistent with industry standard practices for passwords. Most of the PCI DSS requirements can be controlled through settings in the various Windows© Operating Systems and even further in many PCI PA-DSS applications where credit card information is processed or stored. The first step to good security is to implement a password policy. Furthermore, PCI DSS compliancy and good security rules require that each company have a written policy that includes that the policy and all issues it incorporates are reviewed consistently on an ongoing basis. The following rules and policies will provide you a good starting point, but even these rules must be reviewed and established based on your overall needs and specific PCI Data Security Standards.
Password Rules
Complex passwords help assure that a password is not easy to guess or replicate. Good passwords can’t be obvious for a specific person (like birthdays or children’s names) or consistent across an organization where knowing one password makes it easy to guess that of other users.
No group passwords – The first rule is that a password is personal and shouldn’t be shared with anyone. When protecting sensitive data (or to be PCI DSS compliant) each user must have a unique login username and password. While most applications don’t require unique passwords, they should be and will be if they are uniquely assigned. Each user should setup their own password to assure there is no uniformity in passwords that other users can guess.
Change Passwords frequently – Good security (and PCI DSS rules) dictate that passwords should be changed at least every 90 days. This assures that if a password is compromised the compromise is at least limited by time. Consider that many hackers who can get to credit card information will try to leave their program on a system to collect and forward card information as long as possible before the cards are used or sold in order to capitalize on their success. When possible, as in many applications, the passwords should not be changed too frequently to prevent users from changing their passwords several times to effectively retain the same password.
Don’t Duplicate Passwords – When a user is forced to change passwords, they should not be allowed to change to the same password. Most applications, like Windows, can be setup to prevent the same password from being reused. This is accomplished by retaining a password history for a certain number of passwords that cannot be reused when a password is reset. Good security rules and PCI DSS compliancy dictate that at least 4 passwords should be retained. Again, consider that if a user can change their password too often (see above) they can effectively retain the same password.
Limit Access Attempts – To prevent someone, or more likely a program, from being able to repetitively attempt an unlimited number of passwords it is important to limit repeated access attempts to no more than 6 attempts and lockout for at least 30 minutes unless an administrator overrides the lockout.
Passwords must include different types of characters – To prevent passwords from being easily guessed, every secure and PCI DSS compliant password should include 3 of the following 4 character types:
Upper Case Letters
Lower Case Letters
Numbers
Special Characters – non-alphanumeric characters such as: ! @ # $ % ^ & * ( and )
Use long passwords – The more digits included in a password, the better. Shorter passwords can be hacked more quickly when brute force methods are used. Consider that with 26 letters, 10 numbers and about a dozen special characters there are around 75 options for each character: that’s only 421,875 options for a 3-digit password, just over a million for 4-digit passwords and over a quadrillion (1,000,000,000,000,000 or one thousand million million) possibilities with 8 digits. While 400,00 attempts to logon to a system is a lot for a human, a computer program can do it in minutes – a quadrillion or more possibilities will take hours or even days of brute force to work, and be riskier for the hacker to be noticed. In fact, if you’re only using a 3-digit password, a diligent human could use brute force in a matter of hours. For good security passwords should be at least eight digits long (the PCI DSS requirement is currently seven, but we expect it to increase).
Password Policies
Use Different Passwords – When accessing different systems, such as a home computer or even different websites, different passwords should be used. This will prevent the possibility of having a username and password compromised on one system that basically opens the door to all a user’s confidential information.
Remove unused users – Access must be revoked for terminated or inactive users. It is logical that even when trustworthy staff members leave an organization that their usernames and passwords are disabled, if even for the assurance that a compromise in security can never be pinned back to a former employee. However, it could be possible that usernames and passwords might have been set up for employees or users who never actually use the system, and having an unused username provides only a risk without benefit. This is especially important if standardized usernames are temporarily set up for users to change when they first log on – don’t forget to remove the accounts of any users who don’t log on
Disable or change common user names – Certain users are assigned generically by software. For example, all Windows systems come with a standard user named “Administrator” and another called “Guest.” Every hacker in the world knows this so they already know half of what they need to know to access a default system. The “Guest” account can and should be disabled as new users can always be added with unique usernames. The “Administrator” account is tricky and potentially dangerous to disable because at least one user with full administrative rights is required: instead, the “Administrator” username can and should be changed so it too is unique. Just remember that when changing the username, it can affect the username used for access inherent with rights assigned to the “Administrator” account.
Verify users before resets – When resetting a password for a user, make sure you know who the user is. This may seem obvious, but it is important that passwords are not given out freely – and if it is inconvenient for a user to have to come to someone to have their password reset it may help give them the incentive to remember them.
Keep passwords safe – If users need to write down a password to remember it, it should never be stored on a computer. Paper can be physically secured, but a list in a user’s unsecured folder is an open invitation. NEVER send a password through email.
Lock workstations when not in use – It does little good to have passwords set up on a system if it is left on and accessible to anyone who happens by. Windows workstations can be locked by manually depressing the “Windows” key and the letter “L” simultaneously, but your computer policy settings should include a setting where a workstation is locked after a period of inactivity. PCI DSS compliancy means that all administrative workstations, as well as any workstation where credit cards are stored, must be set to lock after 15 minutes of inactivity.
Change All Defaults
It is critical that default passwords be changed. Manufacturers utilize a default password for when systems and components are first installed. As you can imagine it is easy for a hacker to know the common defaults, such as “admin”, “system”, and “password”, for a device or application that they want to compromise. We have already discussed above the two default accounts Microsoft delivers with Windows operating systems, but you need to consider all default passwords:
Routers and Firewalls – Are you aware the router that is the front line of protection for your network comes with a default password? If that password isn’t changed it is very easy for someone to break into your network. Just as important, you should know that if you press the reset button on most routers the factory defaults, including the password, are reset.
Backup Devices and Media – Backup systems often also utilize passwords and have defaults, or may have no password protection at all. If someone can get to a database backup without a password it’s like leaving the front door unlocked. Additionally, any media used for on-site and off-site backups should also be password protected.
Database Defaults – Like the Windows operating system, databases like Microsoft SQL utilize usernames and passwords and are often also installed with default accounts (“SA” is used for SQL) which should be at least protected by a complex password and, when possible, a different administrative account should be set up so the default account can be disabled.
All Software – All application software including virus protection and especially Point of Sale software should be checked to assure that vendor supplied accounts and passwords are reset.
Does this sound like a hassle?
Having complex passwords that change every three months may sound like a giant pain, but honestly – once you implement such a strategy you’ll find that you won’t even think about it. It will become an automatic reflex and can even help you better learn the keyboard! Will having complex passwords provide a foolproof system that can never be hacked? No, but it certainly is a first good defense and will do a great deal to protect you from the most basic forms of invasion. This is a very simple first step toward PCI DSS compliancy that has no direct hard cost. Remember that exposure to a compromise of credit card data could have a price tag of over $50,000 in direct costs. The cost of having a good password policy is taking the time to create your policy, implement it and maintain it. Use this document as a good outline to create your password policy today!
Tips and Hints
There are some ways to make this easier on your users. the key to setting up good passwords is to make them easy to remember but difficult to guess. A quick search on the internet of “Complex Passwords” or “password policies” will lead you to many good suggestions for ways to create good but easy to remember passwords. But remember, no password policy should be standard because it defeats the purpose of making them unique. The reason we aren’t suggesting one of these methods for creating a password is that each person should come up with their own personal password scheme.
Another way to eliminate the need of at least some users to remember a constantly changing password is to use an alternate method for logging into the system. For example, biometric logins such as a fingerprint reader can replace the use of a password, except when it is used as a second authentication method where two-factor logins are required (see PCI-DSS: Special Considerations for Remote Access). Just remember that when biometric devices are used a password still exists and still must be changed – the advantage is that once the password is reset the user doesn’t need to remember it. However, be careful that at least a system administrator remembers their password so they can reset the passwords for other users if the biometric reader is down or unavailable. The other point about a solution like a biometric or key fob type of login is that the same method needs to be supported on the operating system – like Windows – as well as in the application where credit cards and sensitive information is processed or stored.
[…] PCI-DSS: Security – Password Protection […]