Chapter 99 · Flashcards

Password Security — Flashcards

Eleven cards covering entropy and length vs. complexity, password complexity requirements, expiration and history policies, credential stuffing prevention, password managers (encrypted vaults, unique passwords, enterprise vs. consumer), passwordless authentication with TPM and biometrics, JIT permissions with clearinghouses and ephemeral credentials, and password vaulting with session proxying. Click any card to flip it.

What is password entropy, and does length or character set size contribute more to it?

Entropy measures password unpredictability. Calculated as: character_set_size ^ length. Both factors contribute, but length has greater marginal impact. Each additional character multiplies possibilities by the full character set size. A 16-character lowercase-only password (26^16 ≈ 4.4×10^22 combinations) has far more entropy than an 8-character full-character-set password (94^8 ≈ 6×10^15 combinations). Modern NIST guidance favors long passphrases over short complex passwords for this reason. Increasing length by 1 character multiplies by the character set; increasing the character set from 26 to 94 only multiplies by 3.6× — smaller gain per unit effort.

What are traditional password complexity requirements, and why does NIST now de-emphasize them?

Traditional requirements: uppercase, lowercase, numbers, special characters, minimum 8 characters. Why NIST de-emphasizes them (NIST SP 800-63B): complexity rules produce predictable patterns. P@ssw0rd1! satisfies all four categories but appears in millions of breach databases. Users forced to meet complexity requirements create patterns (capital at start, number at end, ! substituted for i) that attackers know and exploit. NIST now recommends: minimum length 8+ (preferably longer), accept passphrases (correct horse battery staple), block known breached passwords via a deny-list, and eliminate mandatory periodic changes for accounts with MFA.

What do password expiration and password history policies do, and what failure mode does each prevent?

Password expiration: requires change after 30/60/90 days. Prevents a compromised credential from being usable indefinitely. Failure mode prevented: long-term use of a stolen credential. Trade-off: users create weaker, predictable passwords when forced to change frequently. Password history: stores hashes of the last N passwords (typically 24) and prevents reuse. Prevents: immediately cycling back to the previous password, and N+1 patterns (Password1 → Password2 → Password1 again). Combined: expiration forces change; history ensures the change produces a genuinely different credential. NIST recommends against expiration for accounts with MFA; history remains valuable regardless.

What is credential stuffing, and how do password managers prevent it?

Credential stuffing: an automated attack where username/password pairs stolen from one breach are tested against other services at scale. Effective because users reuse the same password across multiple sites. If one site is breached, all sites using the same credential are vulnerable. How password managers prevent it: managers generate unique random passwords for every account. Even if Service A is breached and its password is exposed, the exposed password is only valid at Service A — it is different from the password at Service B, banking, email, etc. Password reuse is the vulnerability; password managers eliminate reuse by generating and storing unique credentials per service.

How does a password manager work, and what are three security properties it provides?

Password manager: generates, stores, and retrieves strong unique passwords. The vault is encrypted with a master password (and typically MFA). Only the master password must be memorized; all others can be random 20+ character strings. Three security properties: (1) Encrypted vault — master password never leaves the device unencrypted; database is AES-encrypted at rest. (2) Unique passwords per service — eliminates credential stuffing risk. (3) Strong generation — random passwords no human would choose (avoiding dictionary attacks). Enterprise versions add centralized admin, audit logs, and policy enforcement. Consumer versions (1Password, Bitwarden) lack centralized management.

What is passwordless authentication, and how does Windows Hello exemplify it?

Passwordless authentication eliminates the traditional password. Authentication uses other factors: biometrics (facial recognition, fingerprint), FIDO2 security keys, magic links, or push notifications. Windows Hello example: facial recognition (something you are) unlocks a private cryptographic key stored in the TPM chip (something you have). The TPM-stored key performs the actual authentication challenge-response. No password is entered or transmitted. This is true MFA: biometric + hardware token (TPM). The private key never leaves the TPM, making remote credential theft impossible. Passwordless eliminates phishing, credential stuffing, brute-force, and password reuse risks simultaneously.

What is just-in-time (JIT) permissions, and what is the role of the clearinghouse?

JIT permissions grant elevated access only when needed, for only as long as needed. Implements least privilege at a time-based granularity. Clearinghouse: the PAM system that validates the request against policy before granting elevated credentials. Validation checks: does a valid ticket exist? Is this a approved maintenance window? Was manager approval obtained? Has the request been submitted within scope? Only after validation does the clearinghouse issue the temporary credential. Ephemeral credentials: temporary credentials with a short TTL (1–4 hours) that automatically expire. An attacker who captures JIT credentials during a maintenance window cannot use them after the window closes.

What is password vaulting, and how is it different from a password manager?

Password vaulting (CyberArk PAM, BeyondTrust, Thycotic) stores privileged account credentials (root passwords, service account credentials, database admin passwords) in a secure vault. Key difference: the administrator never sees the actual password. The vault proxies the session to the target system using the stored credential; the admin sees a connected session, not the credential. Automatic rotation: credentials rotate after each checkout. Full audit trail: session recording and keystroke logging. Password manager: shows the user the stored password for them to type or auto-fill. Vaulting: hides the credential entirely and brokers the session. Vaulting is for privileged/shared accounts; managers are for individual accounts.

What is the primary security goal of password vaulting, and what systemic problem does it solve?

Primary goal: ensure that primary privileged credentials are never exposed to human administrators. The vault proxies all connections; admins never know the password. Systemic problem solved: shared privileged accounts. In organizations without vaulting, multiple administrators know the root or administrator password for critical systems. This creates: impossible accountability (anyone could have used it), rotation disruption (every admin must be notified of a change), and exfiltration risk (departed admins retain the password). Vaulting eliminates shared knowledge by ensuring no human knows the actual credential — only the vault does. Rotation is automated and invisible to users.

Compare JIT permissions and password vaulting: primary goal, credential type, and human exposure to the password.

JIT permissions: goal = minimize window of elevated access. Credential type = temporary/ephemeral (created for the task, expires in hours). Human exposure = may receive temporary credential. Use case = granting temporary elevation for specific tasks (patching, troubleshooting). Password vaulting: goal = protect primary credentials from human exposure. Credential type = permanent (stored indefinitely, rotated by vault). Human exposure = NEVER sees the actual credential; vault proxies the session. Use case = privileged accounts (root, DBA, service accounts) that must always exist but whose passwords should never be known by humans. They are complementary: JIT addresses when, vaulting addresses secrecy.

What is a passphrase, and why does it provide more security than a complex short password?

A passphrase is a sequence of multiple words used as a password: correct horse battery staple or my cat drinks purple water. Security advantage: length dominates entropy. A 4-word passphrase of common words has approximately 2^44 entropy (44 bits) from length alone, compared to 2^40 bits for a typical 8-character complex password. Passphrases are also significantly more memorable, reducing the pressure that causes users to write passwords down or use predictable patterns. NIST SP 800-63B explicitly recommends accepting passphrases up to 64 characters. Modern password managers generate and store long random passphrases, combining memorability (for the master password) with entropy.