Good Practices for Password Management (version. 20220914)

1. Code of Practice for Using Passwords

  • Passwords must be at least 12 characters long and contain all lowercase letters, numbers and symbols.Random things are better.

    School regulations (*1) require at least 12 characters and recommend at least 16 characters. Please make it at least 12 characters, except in special cases such as non-configurable due to device or application restrictions.

    Dictionaries of frequently used words and character strings in passwords are created and shared by crackers (malicious hackers) around the world. It is necessary to avoid “dictionary attacks” that use words listed in this dictionary to analyze passwords. Recent dictionary attacks have been devised by combining words or using the personal information of the password user. It is better to use a password management tool described below and use a random string of characters.

  • Reuse of passwords is strictly prohibited.Use different passwords for different systems/services.

    Given that IDs and passwords will inevitably be leaked, it is important to take measures to prevent or minimize the damage caused by leaked IDs and passwords. The leaked IDs and passwords are compiled into a list and distributed to crackers around the world. Attacks that attempt to log into various web services using this list are called “list-based attacks.” Attack tools that allow list attacks to be easily executed are available to anyone. To avoid falling prey to list-based attacks, avoid reusing passwords

  • Be sure to enable multi-factor authentication.

    Even if your identity and password are compromised, enabling multi-factor authentication increases the likelihood of preventing unauthorized logins.Be sure to enable multi-factor authentication. In recent years, there have been many cases in which multi-factor authentication is broken. Don’t worry about multi-factor authentication and change your password immediately if it is leaked or suspected to be leaked.

  • Use password management tools.

    If you set up a different complex password for each system/service, it is impossible to remember all of these or manage them in notes. Use the password management tool. Examples of password management tools will be discussed later

2. Good Practices for System Administrators

  • Avoid sharing passwords as much as possible (except for the ability to share password management tools)

    • It is better to use sudo instead of sharing the root password for UNIX-based systems.

    • In the case that a plurality of manager users can be manufactured even in network equipment, appliance products, etc., ID and password are generated for each manager.

    • Passwords to be shared are managed by using the function of the password management tool.

  • If the system has the option to check password strength, enable it and force it to use a secure password.

  • Systems connecting from outside the university do not use authentication with only ID and password.

    • SSH is used for key authentication.

    • VNC and RDP will be limited to campus networks.If you use it from outside the university, use a VPN together.

    • HTTP BASIC authentication will be limited to campus networks

    • In the case of using a service limited to an in-school network, tunneling or the like by SSH of VPN connection or key authentication is used.

3. Password Management Good Practices for Organizations

  • A password management tool having a password sharing function is utilized.

    For example, 1Password, LastPass, Bitwarden , etc. have the ability to share passwords with multiple people. There are other similar tools out there, so check them out. The cost is often around a few thousand yen per user per year. You need to purchase this for the number of people you want to share the password with.

4. Personal Password Management Good Practices

  • The standard password storage function of web browsers can be used as a personal password management tool. By using this function, you can synchronize password information between your PC and smartphone. Some devices even have a feature that will notify you if your password has been compromised. However, since it is browser-based, it is only a web service.

  • It is best to manage IDs and passwords using a dedicated personal password management tool. I think either freeware or paid software is fine. Some freeware requires careful use in order to synchronize password information between personal PCs and smartphones.

    • Example of configuring password manager on PC, macOS, iOS and Android using freeware

      1. Make Google Drive available (supports multiple non-Google Drives cloud storage).

      2. Install KeeWeb on your PC (Windows, macOS) and create a new password database on your local disk. Use sufficiently long passwords in the password database file and manage them strictly. Enter the ID and password you want to remember and exit keeWeb.

      3. Upload the password database file keeppassx.kdbx to Google Drive.

      4. Restart KeeWeb, click Show more, click the Google Drive icon, and browse to keepassx.kdbx that you uploaded to Google Drive. Now you can share keepassx.kdbx on Google Drive. Ready to have.

      5. For iOS, iPadOS. Install the Google Drive app and make keepassx.kdbx accessible. Install KeePassium and select Keepassx.kdbx on Google Drive in Open Database. Now you can share your password database on iOS and iPadOS. KeePassium supports Face ID/Touch ID, and by configuring Face ID/Touch ID, you no longer have to enter your password in the password database.

      6. For Android. Make sure you can access keepassx.kdbx on Google Drive. Install Keepass2Android and select Google Drive in Open database. Set permissions for Keepass2Android and select Keepassx.kdbx. Now you can share your password database even on Android.

    You can now share a password database between heterogeneous devices.

reference

*1 Procedures for operation and management of information systems at University of electro-communications (https://www.cc.uec.ac.jp/rule/)