Project:Infrastructure/Password policy

From Gentoo Wiki
Jump to: navigation, search
Warning
This page is a work in progress by MGorny (talk | contribs). Treat its contents with caution.

This page provides policies and recommendations for managing passwords for websites and other services. Those policies are binding for access related to Gentoo work.

Requirements

When using password authentication to Gentoo services and other systems that affect Gentoo, please:

  • Use strong passwords to improve brute-force resistance — long (12 characters at the very least) and using a diverse symbol set (lowercase and uppercase letters, digits, symbols).
  • Do not use passwords resembling dictionary words (in any language), names, dates or other publicly available information regarding one's self, as well as their trivial combinations or transformations of dictionary words.
  • Do not ever use the same password for two different domains, as that creates a risk of password reuse attack when the site is compromised (some sites even mail passwords in cleartext!).
  • Do not ever write passwords down or store it in cleartext on permanent storage.
    • If a password must be saved, make sure it is encrypted before writing and/or use tmpfs with appropriately restricted permissions.
    • If a password must be displayed, make sure no one can see it.
  • Use separate API keys for script use (rather than the primary password) wherever available.
    • If API keys support limited scopes, narrow the access whenever possible.
  • Enable two-factor authentication wherever supported. This will provide a second barrier if a password is compromised.
  • If there's even the slightest risk that the password could have been compromised, rotate it!
    • Accidentally typing part of the password to a browser address bar or in the a username field of an SSH login session counts as well.
    • It is good practice to rotate a password when used in an insecure location (e.g. someone else's computer).
  • Even when unaware of events that might compromise a password (such as failed login attempts), rotating it on a periodic basis is good practice.

Creating and remembering strong passwords

All password management solutions require creating and memorizing at least one strong password.

The best resource on how to create strong passwords that are easy to memorize is XKCD#936.

Solutions for creating and managing multiple passwords

Password managers

One possible solutions to create unique passwords for different websites is to use randomly-generated passwords with a password manager. When using a password manager, make sure that the passwords are stored encrypted, and that a strong password is used to protect them.

The choice of password managers includes:

Some password managers include built-in random password generation tools. Alternatively, see Password_management_tools#Password_Generators.

Derived keys

Another option is to use one of the derived key algorithms (PBKDF2, Argon2) to create domain-specific password derived from a master password. In this context, the domain or some other identifier of the site/service is used as the salt for the algorithm.

TODO: some implementations?