week 7

 Implement secure password policies.

1. Foundational Principles

Modern password policies must balance security with usability, guided by evidence-based standards (e.g., NIST SP 800-63B). Key shifts include:

Eliminating periodic resets: Research shows forced changes lead to weaker passwords (e.g., "Spring2023!" → "Summer2023!").

Prioritizing length over complexity: A 12-character passphrase ("PurpleTiger$Rides@9am") is stronger than "P@ssw0rd1" and easier to remember.

Banning compromised passwords: Use databases like Have I Been Pwned to block common/breached passwords.

2. Policy Components

Technical Requirements

Minimum length: 12+ characters (NIST recommends 8, but 12+ resists brute-force attacks).

No arbitrary complexity: Allow spaces, all Unicode characters, and passphrases.

Multi-factor authentication (MFA): Mandate for all accounts, using FIDO2/WebAuthn or TOTP apps (e.g., Google Authenticator).

Account lockouts: Temporary lock after 5–10 failed attempts (prevents brute-forcing without frustrating users).

Storage & Transmission

Hashing: Use bcrypt, Argon2, or PBKDF2 with per-user salts. Example (Python):

import bcrypt  

hashed = bcrypt.hashpw(password.encode('utf-8'), bcrypt.gensalt(rounds=12))  

Encryption: TLS 1.3 for transmission; never store plaintext.

3. Behavioral & Organizational Strategies

Password managers: Deploy enterprise solutions (e.g., Bitwarden, 1Password) to generate/store unique passwords.

Training: Teach phishing recognition and the risks of reuse (e.g., credential stuffing" attacks).

Zero Trust: Assume breaches; verify every access request via MFA and least-privilege access.

4. Compliance & Monitoring

Audit logs: Track failed logins, password changes, and MFA usage.

Regular reviews: Align with frameworks like ISO 27002 or PCI DSS. Update policies annually.

5. Example Policy Template

1. **Creation**:  

   - Minimum 12 characters; passphrases encouraged.  

   - Check against breached password databases.  

2. **Storage**:  

   - Enterprise password manager required.  

   - No browser storage or physical notes.  

3. **Authentication**:  

   - MFA enforced for all systems.  

   - Session timeouts after 15 minutes of inactivity.  

4. **Updates**:  

   - Change only if compromised.  

   - No reuse of last 5 passwords.  

Conclusion

A robust password policy integrates technical controls (MFA, hashing), behavioral nudges (training, password managers), and adaptive monitoring. By deprioritizing outdated "complexity rules" and focusing on length, uniqueness, and layered authentication, organizations can mitigate 80% of credential-based breaches.

Final Answer:

Implement a policy requiring 12+ character passphrases, MFA, enterprise password managers, and breached password checks, while eliminating forced resets. Regularly audit compliance and train employees to recognize phishing.

https://heimdalsecurity.com/blog/password-policy-best-practices/

https://www.businesstechweekly.com/cybersecurity/password-security/password-policies/

https://www.cisa.gov/secure-our-world/require-strong-passwords

https://secureframe.com/blog/password-policy


Comments

Post a Comment

Popular posts from this blog

week 9 Troubleshoot cloud capacity limitations

  Step 1: Confirm and Diagnose Capacity Overload Identify affected capacity and error time: Obtain workspace name, capacity name, and exact error occurrence time. Use monitoring tools: For Microsoft Fabric, open the Microsoft Fabric Capacity Metrics app and navigate to the Compute page to check capacity utilization and system events at the error time. Look for overload signs: Confirm if the capacity was overloaded by checking status changes to "Overloaded" and observe resource consumption spikes to understand the timing and severity of the issue (e.g., 100% CU utilization). Step 2: Check for Throttling and Resource Rejections Inspect throttling metrics (interactive delay/rejection and background rejection) via the Throttling tab in monitoring tools. Verify if throttling corresponds to the error time, indicating resource exhaustion leading to delayed or rejected operations. If no throttling is detected, consider that the error might have other causes or anothe...
Read more

week 6

  **Cloud computing comes with risks such as security breaches, service outages, cost overruns, performance bottlenecks, and management complexities, which require careful planning and ongoing oversight to mitigate**.       ### Common Cloud Computing Problems     **1. Security Risks: **   Data stored in the cloud can be vulnerable to unauthorized access, breaches, and attacks if security measures are inadequate. Misconfigurations, improper access controls, and lack of encryption increase these risks. Cloud environments are frequent targets for cyberattacks, and insider threats from cloud provider employees can also pose privacy concerns [^5^] [^9^]. **2. Service Outages and Downtime: **   Despite high reliability claims, cloud services can suffer outages due to hardware failures, software bugs, or automated system errors. For example, major providers like AWS have experienced outages caused by overwhelmed networking devices or tr...
Read more

Week 5

  Cloud Computing Challenges 1 2 Cloud computing has revolutionized the IT industry by providing on-demand resources like data and storage. However, it also presents several challenges that need to be addressed to ensure smooth operations and security. Data Security and Privacy Data security is a significant concern in cloud computing. User or organizational data stored in the cloud is critical and private. Issues such as identity theft, data breaches, and malware infections can decrease user trust and lead to potential revenue loss 1 . To mitigate these risks, it is essential to implement user authentication, data encryption, and access control measures. Cost Management While cloud service providers offer a "Pay As You Go" model, hidden costs can arise from under-optimized resources, degraded application performance, and unused resources 1 . Regular auditing and resource utilization monitoring can help manage these costs effectively. Multi-Cloud Environments Many enterprises...
Read more