S 4.306 Handling of password storage tools

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, User

Most people need to remember a number of passwords, PINs, and other confidential authentication information for use at work as well as for private use. This always leads to problems. Typical examples of such problems include users forgetting their password, which then requires complex procedures to be performed to reset the passwords, or users writing down their passwords and then storing them insecurely.

To avoid such problems, there are products available for use as a technical aid to enable the administration of numerous passwords, PINs and other confidential authentication information. Such password storage tools, which are also referred to as password safes, are available as pure software solutions as well as in combination with separate hardware. Various aspects need to be taken into account when using password storage tools (see also S 2.22 Escrow of passwords):

The escrow or storage of passwords always requires organisational time and expense. Every time a stored password is changed, it is also necessary to update the password in the password storage tool. You must never forget to update the password in the password storage tool.

Before a password storage tool is used, the protection requirements of the passwords to be stored by the tool must be assessed. Not all password tools are suitable for storing passwords with high protection requirements. However, password tools also help the user to select a different password for each application while ensuring each password is as complex as possible.

If a tool will be used to store passwords, then the requirements described in the following for such tools must be considered.

• It must not be possible for unauthorised persons to gain access to the stored passwords. Every access to the password storage tool should be logged.
• A password storage tool should be easy and intuitive to use. There should not be any restrictions on the length or the character composition of the securely stored passwords. It should be possible to use long and complex master passwords, and their use should be mandatory if the technology used permits this.
• A password storage tool must not provide any option for users to log on without entering a master password or any option allowing the master password to be "remembered" automatically by the tool.
• The tool should automatically log a user off after a prescribed period of inactivity.
• Passwords must only be stored in encrypted form. An approved encryption method and an adequate key length must be selected for this purpose.
• Before purchasing a password tool, technical magazines and Internet forums should be consulted to see if there are any reports, tests or even descriptions of successful attacks on the tool in question. Likewise, the same sources should be checked regularly to see if any security gaps have been detected recently in the tools used.
• Unfortunately, serious security deficiencies have been and always will be discovered in tools used for password storage. For example, some tools stored the master passwords in plain text in memory or on the clipboard. For this reason, only password tools whose security has been certified should be used, if possible (see S 2.66 The importance of certification for procurement).
• Since access to the password storage tool needs to be protected well, it may make sense to use products with special security hardware. Examples include password tools on USB tokens or chip cards, for example.
• To provide protection against keyloggers, it may also make sense to use a password tool in which the passwords are entered using a mouse-driven on-screen keyboard. The on-screen keyboard should offer numbers as well as letters and special characters so that the widest possible range of passwords can be selected. On the other hand, the characters should be displayed dynamically on the on-screen keyboard, i.e. the characters should be rearranged every time a character is entered. It will take longer for the users to enter passwords in this case, but this also makes it more difficult for malware to read the passwords based on the positions of the characters on the screen.
• It should be possible to quickly and easily enter the master password. The procedure for entering the master password must be examined closely, especially for password storage tools with integrated input keys and when using on-screen keyboards. If it takes too long to enter a password in this case, for example because each character needs to be selected individually, then it will be very easy to read the master password during entry, and the acceptance of the users will be at risk.
• If a password storage tool with an external power supply, for example a battery, will be used, then it must be examined what happens to the passwords when the power supply is disrupted. It may be necessary to make additional data backups, which also need to be adequately protected.

In addition, the following general conditions must be considered, among other conditions, when using tools to store passwords:

• It must be necessary to log in successfully in order to gain access to the password storage tool. In general, passwords or PINs are used in this case as well to log in. The highest possible demands should be placed on the quality of these passwords or PINs. Master passwords used for this purpose must be long and contain a variety of characters (see S 2.11 Provisions governing the use of passwords).
• Unsuccessful login attempts should be rejected by a brief error message which does not contain any specific details. In particular, the message appearing in the event of unsuccessful login attempts should not indicate whether the user name or password entered (or both) were incorrect. After three unsuccessful attempts to enter a password for the same user account, the authentication system should block access to the corresponding user account (for a certain time or permanently). The fact that a user account has been locked must not be recognisable in the messages appearing for all subsequent unsuccessful attempts to log in. Instead, the corresponding user should be informed that his account has been locked via a separate route.
• It is even better to respond to unsuccessful login attempts by displaying a typical user interface instead of an error message. If apparently real but useless results are subsequently displayed on the screen, then an attacker will not be able to immediately recognise that the password entered was not the right password.
• If possible, password tools should only be used on trusted IT systems, i.e. only on IT systems that are monitored or under the control of the organisation itself. Such trusted systems could include mobile telephones, PDAs or special authentication servers, for example.
• External web-based services for password storage should only be used when the reliability of the service provider is adequate in terms of the protection requirements of the passwords. All credit card data and the corresponding PINs must not be stored using external web-based services since it is difficult to check the reliability and security of such a service.
• Only password tools whose security has been examined and which have been approved by the organisation should be used.

All employees in the organisation should be informed whether or not they are allowed to use password storage tools. If such tools are allowed, then the users must be informed which tools have been approved for use. There should also be a rule that describes which types of passwords should be stored using the tool and which general requirements need to be met in this case.

Review questions:

• Is it checked before using a password storage tool if its use can meet the protection requirements of the passwords to be stored?
• Does the selected password storage tool provide adequate access control and support encrypted storage?
• If the use of password storage tools has been approved within the organisation: Do the users know which tools may be used?
• If the use of password storage tools has been approved within the organisation: Are there rules on what types of passwords may be stored using the tool?