German Federal Office for Information Security password guidance
(Last updated on April 12, 2021)
The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, abbreviated as BSI) is an agency responsible for information security for the German federal government. The BSI is also the central certification body for IT systems. This means that any IT product or system that is to be used by the federal government, must meet the security standards of the BSI.
One of the common pain points for IT security is authentication and the password. What specific guidance does the BSI offer in regards to password security?
BSI password security recommendations
The BSI password security recommendations help organizations achieve a best practice stance for password policies in their environments. Password recommendations can be found in the IT-Grundschutz Kompendium (ORP.4.A23), and include the following:
- The password MUST be so complex that it is not easy to guess
- The password MUST not be so complicated the user is unable to use the password regularly with a reasonable amount of effort
- IT systems or applications SHOULD ONLY prompt you to change your password with a valid reason
- Timed password expiration SHOULD be avoided
- Action MUST be taken to detect and prevent the use of compromised passwords
- Old passwords MUST no longer be used after a password change
Default Active Directory password policies are not enough
The BSI password recommendations align with other high-profile cybersecurity guidance from Microsoft and the National Institute of Standards and Technology (NIST). This guidance includes the recommendation to detect breached or compromised passwords.
NIST Special Publication 800-63B, section 126.96.36.199:
When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly used, expected, or compromised. For example, the list MAY include, but is not limited to:
- Passwords obtained from previous breach corpuses.
Native Microsoft Active Directory Domain Services (ADDS) functionality is limited in features. Without third-party password tools, organizations cannot detect breached or otherwise compromised passwords.
Breached Password Protection with Specops Password Policy
Breached password protection is an essential component of today’s password security best practices, and rightfully so. According to the 2020 IBM Cost of a Data Breach report, “stolen or compromised credentials were the most expensive cause of malicious data breaches.”
Specops Password Policy is a robust password security solution that enables breached password protection in Active Directory. As you see below, there are two configuration options for preventing the use of breached passwords:
- Express List – The Breached Password Protection database is downloaded locally and checked. It is a subset of the entire database of breached passwords. However, in cases where Internet connectivity is limited or other edge use cases, this provides the option of checking a local copy of the breached password database for user password changes
- Complete API – Using the Complete API approach, organizations can have passwords checked in real-time against the full Specops online breached password database. This option provides the most robust protection, checking passwords against 2 billion breached passwords.
Both options prevent users from using a breached password. They also provide the ability to force users to change passwords if the passwords become breached. With the Complete API option, users can optionally receive a text message noting the breach event and the need to change their password.
The Breached Password Protection provided by the Specops Password Policy provides a wealth of other great features to control and enforce password security in Active Directory environments. These include:
- Custom and password dictionary lists and password hash dictionaries
- Passphrase support
- Blocking the use of character substitutions, keyboard patterns, display names, consecutive characters, incremental passwords, etc.
- Informative client messages when a user fails to meet password policy rules
- Length-based password expiration with email notifications
- Regular Expressions to further customize requirements
Learn more about the Breached Password Protection features in Specops Password Policy, and request a fully-featured trial version by contacting us.