Repository for research and snippets relating to login and authorization with a view to a friendlier, more secure authentication flow
- Troy Hunt: Everything you ever wanted to know about building a secure password reset feature
- NIST’s new password rules – what you need to know – Naked Security
- The God Login
- Password Rules Are Bullshit
- NIST Digital Identity Guidelines (PDF)
- What the Most Common Passwords of 2016 List Reveals [Research Study] - Keeper BlogKeeper Blog
- How to Make Your Passwords More Secure — BizTech
- Toward Better Password Requirements
- The Curse of the Secret Question - Schneier on Security
- Choosing and Using Security Questions Cheat Sheet - OWASP
- Security Questions Considered Harmful
https://apps.fcc.gov/edocs_public/attachmatch/FCC-07-22A1.pdf
- Use of Password Protection. For accounts that are password protected, a carrier cannot obtain the customer’s password by asking for readily available biographical information, or account information, to prompt the customer for his password. We therefore allow carriers to create back-up customer authentication methods for lost or forgotten passwords that are also not based on readily available biographical information, or account information.
We agree with commenters that assert that individuals tend to choose passwords that are based on personal information and therefore pretexters can easily circumvent password protections. ... To prevent this, we prohibit carriers from using prompts to request the customer’s password based on readily available biographical information, or account information.
We do not require carriers to adopt a specific back-up authentication method because we believe that by directing carriers to do so we might make it easier for pretexters to defeat the protections we adopt in this Order.
A shared secret is one or more question-answer combinations that are known to the customer and the carrier but are not widely known. Thus, if the customer lost or forgot a password, the carrier could provide the pre-selected shared secret question, or set of shared secret questions, to the customer for authentication purposes.
A carrier cannot disclose call detail information over the telephone during a customer-initiated telephone call until the carrier is able to reauthenticate the customer without the use of readily available biographical information, or account information.
Although we do not mandate what specific level of password protection carriers must provide for their customers for online access, we expect carriers to ensure that online access to CPNI is adequately password protected. For example, we believe it would be reasonable for carriers to block access to a customer’s account after repeated unsuccessful attempts to log in to that account to prevent hackers from using a so-called “brute force attack” to discover account passwords. Carriers may also determine the password format they deem appropriate. For example, carriers may decide the length of the password, whether or not the password should be case-sensitive, or whether the password should require a mix of numerals, letters, and other symbols.
For existing online accounts, although we do not mandate that a carrier reinitialize those accounts, if a carrier provides a back-up authentication method that is not in conformance with this Order (i.e., the method is based on carrier prompts for readily available biographical information, or account information), then a carrier must modify its back-up authentication method to comply with this Order.
Readily available biographical information. “Readily available biographical information” is information drawn from the customer’s life history and includes such things as the customer’s social security number, or the last four digits of that number; mother’s maiden name; home address; or date of birth.
Section 64.2010e Establishment of a Password and Back-up Authentication Methods for Lost or Forgotten Passwords. To establish a password, a telecommunications carrier must authenticate the customer without the use of readily available biographical information, or account information. Telecommunications carriers may create a back-up customer authentication method in the event of a lost or forgotten password, but such back-up customer authentication method may not prompt the customer for readily available biographical information, or account information. If a customer cannot provide the correct password or the correct response for the back-up customer authentic
55 “Readily available biographical information” includes such things as the customer’s social security number, or the last four digits of that number; the customer’s mother’s maiden name; a home address; or a date of birth.
