In SSCP Domain 2: Security Operations and Administration, we dive into the technical controls used to manage access. The simplest and most universal control is the first of the three authentication factors: Something You Know.
This factor relies on secrets—passwords, PINs, or passphrases—which only the legitimate user is supposed to know. While passwords are the weakest of the three factors (because they can be guessed, stolen, or cracked), they remain the foundation of almost every modern authentication system. Therefore, implementing strong password policies is a non-negotiable administrative and technical control.
The Three Pillars of Password Strength
A robust password policy, enforced by the Data Custodians and monitored by the Security Analyst, must focus on three primary security pillars:
1. Complexity (The Content)
Complexity defines the requirements for the structure of the password itself.
- Goal: Make the password difficult for an attacker to guess or crack using brute-force or dictionary attacks.
- Best Practices:
- Minimum Length: This is the most critical element. Modern best practices (like those from NIST) recommend a minimum length of at least 8 characters, but ideally 10 or more.
- Character Sets: Require a mix of upper-case letters, lower-case letters, numbers, and special characters. This increases the key space (the set of all possible passwords) exponentially.
- Avoid Dictionary Words: Prohibit passwords that are common words, names, or simple keyboard patterns.
2. History and Reuse (The Scope)
This focuses on preventing users from recycling the same passwords across different accounts or repeatedly using slightly modified old passwords.
- Goal: Limit the damage if a password is compromised (e.g., in a data breach of an unrelated service).
- Best Practices:
- History Check: Enforce a password history rule (e.g., users cannot reuse any of their last 10 passwords).
- Account Lockout: Implement a policy to lock the account after a small number of unsuccessful login attempts (e.g., 3-5). This thwarts brute-force attacks.
3. Expiration and Management (The Lifetime)
Traditional security practices mandated frequent password changes (e.g., every 90 days). Modern recommendations have shifted dramatically.
- The Modern Shift (NIST SP 800-63B): NIST now recommends against arbitrary, periodic password changes. The research found that forced changes often lead users to simply increment a number or change one character, making the new password predictable and weaker.
- When to Change: Passwords should only be changed under the following conditions:
- Compromise: When the password is known or suspected to be compromised.
- First Use: Immediately after a temporary or initial password is set.
- Passphrases over Passwords: Encourage the use of passphrases—long strings of random, unrelated words (e.g., “Correct Battery Horse Staple”). These are easy for humans to remember but computationally difficult for machines to crack.
Practical Management Tools for Passwords
The administrative policy is only effective if it’s supported by technical controls:
- Password Managers: Encourage the use of password managers (like corporate solutions or reputable third-party tools). These tools generate long, complex, unique passwords and store them securely, removing the burden of memorization from the user.
- Hashing and Salting: When storing passwords on a server, the Data Custodian must never store them in plain text. They must be stored as one-way cryptographic hashes (e.g., bcrypt, Argon2, or PBKDF2). Salting (adding a unique, random string to the password before hashing) prevents attackers from using pre-computed rainbow tables to crack the hashes.
Resources for Further Study
Understanding the modern perspective on password policy, especially the move away from forced expiration, is vital for the SSCP exam.
Extensive Website References
- NIST SP 800-63B: Digital Identity Guidelines (Authentication and Lifecycle Management)
- Reference: Search for “NIST 800-63B Password Guidance”
- Value: This is the definitive, modern standard for password policy, advocating for length and history checks over forced expiration.
- OWASP (Open Web Application Security Project) Authentication Cheatsheet
- Reference: Search for “OWASP Authentication Cheat Sheet Password”
- Value: Provides developer-focused, technical best practices for password hashing, storage, and handling.
- Microsoft Security Compliance Guidance on Password Policy
- Reference: Search for “Microsoft Password Guidance Abandoning Periodic Password Change”
- Value: Shows how a major enterprise vendor has shifted its stance to align with NIST recommendations.
Recommended Video Resources
| Focus Area | Recommended Video Search Topic | Key Takeaway |
| Password Hashing & Salting | “How Password Hashing and Salting Works” | A visual explanation of why plain-text storage is dangerous and how salting protects against rainbow table attacks. |
| The NIST Shift | “Why You Shouldn’t Change Your Password Every 90 Days” | Focuses on the behavioral science behind why forced expiration weakens security and what NIST recommends instead (compromise-based change). |
| Passphrases | “Passphrases vs. Passwords Security” | Demonstrates the computational strength of a long passphrase composed of random words compared to a complex, short password. |