Passphrase Guidelines - Draft

Note: These guidelines will apply to the updated MSSND passphrase requirements when they go into effect.

All UC Berkeley IT Resources and all devices connected to the UC Berkeley network or cloud services must comply with the Minimum Security Standard for Networked Devices (MSSND). The recommendations below are provided as optional guidance to assist with achieving the Passphrase Requirements.

MSSND Passphrase Requirements

When passphrases are used, they must meet or exceed the following complexity specifications:

Passwords MUST contain eight (8) characters or more following this sliding scale:

  • 8-11 characters: mixed case letters, numbers and symbols (e.g., !@#$%^&*()_+|~-=\'{}[]:";'<>?,./'space');
  • 12-15 characters: mixed case letters and numbers;
  • 16-19 characters: mixed case letters;
  • 20+ characters: no restrictions.

PINs for mobile devices must be at least 6 characters in length. Authentication using the integrated biometric capabilities of supported devices from major vendors is also acceptable.

Multi-user systems must be configured to enforce these complexity requirements where technically possible.

All pre-assigned passphrases must be changed at the time of the initial login. Multi-user systems must be configured to enforce this requirement.

Default and blank passphrases are prohibited and must be changed to a passphrase that meets the requirements in this Standard. If an account has a default or blank passphrase that cannot be changed, that account must be disabled.

Individuals must not share user account passphrases, PINs, devices used to authenticate the user (e.g., mobile phones) or tokens (e.g. multifactor tokens, smartcards, etc.) with others.

Passphrases must be changed immediately if independently discovered, publicly disclosed, a suspected compromise has occurred, or a device on which they were used or stored has been lost or stolen. This includes the discovery of hashed passwords or passphrases.

The same or substantively similar passphrases must not be used across multiple accounts.

Device and account credentials such as passphrases, PINs, or account recovery questions & answers must never be stored in plain text and must be encrypted. Application secrets such as database credentials and API keys should be protected according to industry best practices such as OWASP. Authentication credential stores on servers must be made resistant to offline attacks according to NIST guidelines (NIST SP 800-63B, Sec. 5.1.1.2).

Background and Description of Risk

For many systems, passphrases are the sole form of protection. Even systems protected by Multi-Factor Authentication (MFA) need strong passphrases. Poor passphrases may allow an attacker to guess or crack the passphrase and gain unauthorized access. Once in, attackers have the same access as you do with your username and passphrase -- they can do anything you can do. They can also work from the inside to attack additional accounts and systems.

Generally, the longer and more complex the passphrase, the more difficult it is for an attacker to crack.

In addition, failing to change passphrase from the default setting established by the vendor is equivalent to having no passphrase at all, as default passphrases are commonly known by attackers.

See "Protecting Your Credentials" for additional risks.

Recommendations

1. Recommendations for Individuals

1.1 Longer is better

When it comes to passphrases, longer is better. In general, passphrases should be as long as possible while still being easy-to-remember. Using a long, uncommon phrase of 32 characters or more that is memorable for you, personally, is a great way to do this -- and it eliminates the need for most complexity requirements. For example, "My cat loves squirrels and dolphins" is a decent passphrase. It’s long, easy to remember, and isn’t a common quote or saying. 

Another strategy for systems that don’t allow long passphrases is to create a shorter, more complex password based on a passphrase. For example, use the first one or two letters of a longer phrase, adding in a simple number-for-letter substitution. The above phrase could turn into “MyCaL0SqAnD0” (0=”zero”). This is reasonably complex, meets the complexity requirement for a 12 character passphrase, and may be easier to remember than something more random. Arguably, though, the original phrase is both easier to use and a better passphrase.

NOTE: Do not use either of these examples as passphrases!

1.2 Passphrases SHOULD NOT be:

  • A derivative of your username
  • A single word found in a dictionary (English or foreign)
  • A single dictionary-word spelled backward
  • A single dictionary word (forward or backward) preceded and/or followed by any other single character (e.g., secret1, 1secret, secret?, secret!)

1.3 Use a hard-to-guess passphrase. Things to avoid include:

  • Names of family, pets, friends, co-workers, etc.
  • Computer terms and names, commands, sites, companies, hardware, software
  • Birthdays and other personal information such as addresses and phone numbers
  • Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
  • Other weak passphrases to avoid: 
    • Sports, team names (with any numbers) 
    • Prominent sports figure names (with any numbers)
    • Prominent bands, actors, artists, academics, astronomers, planets, etc.
    • Movie and comic book characters
    • Common movie quotes 
    • Common song lyrics
    • Anything an attacker might glean or guess from your social media posting or group memberships, job or role
  • Adding an exclamation mark (!) at the end of a passphrase doesn’t increase its complexity in a meaningful way!
  • Don’t use an unlock pattern to secure your mobile device. They’re trivial to snoop with a quick glance. Passphrases/PINs and biometrics are much more secure.

1.4 Biometrics:

Biometrics, such as fingerprint readers and face ID, can make authentication quick and easy. However, not all biometric readers are created equally. Poor ones can be easily bypassed. To protect yourself:

  • UC Berkeley’s Draft Passphrase Standard only allows integrated biometric capabilities of supported devices from major vendors.

1.5 Use a Password Manager:

Passphrases can be securely stored using a variety of free and low-cost encryption tools designed to manage passwords. This is a great option for people with too many passwords to remember. Password managers actually make it easier to have a unique, long passphrase for every account because you only need to remember one master passphrase to access all of your passphrases. 

Different password managers have different features. Some popular options include LastPass, 1password, Dashlane, and KeePass:*

Password Manager*

Cloud Service or Local Client

Free/Paid

Supported OS’es/devices

LastPass

Local client; data stored at LastPass

Free basic

Paid premium or family

Windows, Mac, Linux, iPhone/iPad, Android, Surface

1password

Local client; data stored at 1password

Paid

Windows, Mac, Linux, iOS, Android, Chrome OS

Dashlane

Local client; data stored at Dashlane

Free basic

Paid premium

Windows, Mac, Linux, iOS, Android, Chromebook

KeePass

Local client only

Free

Windows, Mac, Linux, BSD, other Unix-like systems. Portable (e.g. data stick) option. 

* This list does not represent endorsement by the University of California or its affiliates.

1.6 Check to see if any of your accounts are involved in a known data breach.  

For additional security, periodically check https://haveibeenpwned.com/ to see if you have an account that has been compromised in a known data breach. If you find one and have not changed the passphrase since the breach, change it to something new and different that follows these guidelines. If you have other passphrases that are the same or similar, change them, too. 

1.7 Only use administrator (privileged) accounts when absolutely necessary.

See MSSND Privileged Accounts Standards and Guidelines (update coming soon) for details. 

1.8 See “Protecting Your Credentials” for additional details about the following:

  • Common techniques that attackers use to steal passphrases
  • Use a long passphrase
  • Do not reuse passphrases
  • Use a password manager
  • Check that the site is secure
  • Avoid phishing scams
  • Additional passphrase dos and don’ts

2. Recommendations for Developers:

  • Use built-in facilities of operating systems, databases, and other software to enforce complexity
  • Use built-in facilities of operating systems, databases, and other software to require password changes on the first logon
  • API keys should be unique, random, non-guessable, a minimum of 128 bits, and should not be reused across multiple applications. API keys should be protected like passphrases