Say The Secret Word…
In the world of security, there is probably nothing more debated, hated, and reviled than passwords and password security. I bet if we took a field trip to Google (or search engine of your choice) we could find a boatload of articles espousing the demise of passwords.
However, I’m pretty sure that for the foreseeable future passwords are going to be with us. I’m not the only one, the CJIS Security Policy (CSP) has a few things to say about passwords.
Passwords by themselves aren’t really that bad; it’s the “stuff” that goes with passwords. If you are wondering “what stuff?”, there’s a good chance you may not be doing the “stuff”. So, I’m going to talk about some of the stuff the CSP requires.
Let’s go over what the CSP says about passwords. First and foremost, we’re talking about authenticating to applications and services that process or contain Criminal Justice Information (CJI). Remember, the CSP is focused on protecting CJI.
It’s important to make that distinction. If it’s not about a CJI system, then we aren’t “required” to apply the CSP. If you have questions about CJI, see the December 2016 Newsletter or your CJIS Systems Agency (CSA). In fact, your CSA may have some additional clarifications on the subject of CJI, or they might have requirements that go beyond the CSP.
According to the book that gives many folks acid reflux, agencies shall follow the secure password attributes, below, to authenticate an individual’s unique ID. Passwords shall:
Be a minimum length of eight (8) characters on all systems.
Not be a dictionary word or proper name.
Not be the same as the Userid.
Expire within a maximum of 90 calendar days.
Not be identical to the previous ten (10) passwords.
Not be transmitted in the clear outside the secure location.
Not be displayed when entered.
These requirements are ones that the auditors are probably not going to let you cover with a local policy. By that, I mean that the application is going need to include edits or controls that enforce these requirements. In my years of experience, if the app doesn’t prompt you to change your password, you won’t do it.
Here’s an important part of the password (identity/authentication) business. The password requirements also apply to administrative and vendor maintenance access. So, if your users’ accounts are following the requirements but your tech support is logging in using something like “admin/admin”, you’ve got problems.
So what if your system doesn’t have the ability to enforce these requirements. Like I said, this is one instance where you’re probably not going to get a pass. You’ll be asked to develop a plan to implement those edits. If your system(s) doesn’t follow these requirements, you really need to start making plans.
While we’re on passwords, don’t share them. No one needs to have your password, even for support or management purposes. If your supervisor or tech support does need your password to complete a required task, as soon as the task is over, change your password.
When someone else has your password, they have the ability to access CJI and Criminal History Record Information (CHRI) in your name (those systems are logging your access.) It’s not about being paranoid, it’s about following standard security practices.
I’ve yet to work with an IT security professional who would agree that sharing passwords is a good idea. Remember, according to the CSP, users shall take reasonable measures to safeguard authenticators … not loaning or sharing authenticators (password) with others. If y’all are sharing passwords, you are out of bounds when it comes to the CSP.
Passwords, you love ‘em right? We have to live with them, just like taxes. We can do this, y’all; knowing what to do is half the battle.
As always, if you have questions, holler; email is usually the best way. If you want to talk, give me a call.
Y’all take care.