Password Authenticator
Overview
A password is a secret that only one person should memorize and know. It is a knowledge-based authenticator for a user to verify their identity. To ensure security, we have implemented the following Measures:
Password Authenticator Requirements
Password Length: User-chosen passwords are required to be at least 8 characters long and may be up to 64 characters in length.
Password Complexity and Blacklisting: We enforce checks to ensure that passwords are not commonly used or compromised. This includes cross-referencing with blacklists of known weak or breached passwords and rejecting passwords that match.
Hashing and Salted Storage: We use industry-standard cryptographic techniques to securely store passwords, including salted hashing, to resist offline attacks. We also ensure that password storage is designed to be resistant to brute-force attacks through the use of key derivation functions (e.g., PBKDF2) and iterative hashing techniques.
Secure Password Transmission: Passwords are transmitted over encrypted channels (e.g., TLS) to protect against man-in-the-middle (MitM) and eavesdropping attacks.
to 64 characters.
Passwords must not be part of our compromised passwords list.
Passwords
If the password appears in a compromised list, the user must choose a new one.
Complexity requirements (e.g., mix of character types) should not be enforced unless necessary. Detailed reasoning for this is provided in Appendix A.
5.1.1.2 Verifier Requirements
Verifiers must accept ASCII and Unicode characters in memorized secrets.
The minimum length for user-chosen secrets is 8 characters, with a maximum of 64 characters recommended.
Verifiers must not allow insecure hints, such as personal questions, or encourage weak secrets.
Blacklist check: Verifiers must ensure secrets are not part of known compromised passwords (e.g., from data breaches, dictionary words, or patterns).
Verifiers should encourage strong passwords through tools like password strength meters.
Rate limiting must be in place to prevent brute-force attacks.
Security Measures for Storing Passwords
Encryption and a secure channel must be used when transmitting passwords to prevent eavesdropping.
Password storage: Verifiers must hash and salt passwords with a key derivation function (e.g., PBKDF2), making them resistant to offline attacks.
Salt should be at least 32 bits in length.
A cost factor (e.g., iteration count) should be applied to increase the time it takes to compute the hash, typically requiring at least 10,000 iterations.
If a secret salt is used, it must be stored securely and separately.
5.1.1.4 Password User Experience Enhancements
Verifiers should allow paste functionality for users to input passwords, especially for users utilizing password managers.
Optionally, verifiers should allow users to view their password temporarily while entering it (to avoid errors, especially on mobile devices).
Passwords should be displayed in a masked format (dots or asterisks) with the option to unmask them for verification in private environments.
5.1.1.5 Password Updates
Users should be able to change passwords freely without arbitrary requirements (e.g., periodic resets).
If a password is compromised, the system should enforce a mandatory change.
Additional Considerations
User Education
Security Awareness: Users should be educated on the importance of using strong, unique passwords for each service and guided on creating secure passwords.
Last updated