On PCI DSS v4 and Passwords

7 December 2022

Security

Security, Usablesecurity, Passwords, Pci

PCI DSS v4.0 & Passwords #

Several years of research have shown that frequent password rest cycles hurt the user, and the security of the password 1,2. Users tend to slightly modify the password rather than coming up with a new password. For example, changing MyPassword^ to MyPassword1^.

In addition, best practices suggest users have a minimum of 12 characters, mix alphanumeric and special symbols. Imagine applying this rule to each of our accounts, since passwords shouldn’t be reused. Most users do not store their password in a password manager, making these recommendations a burden and a challenge for people.

The PCI DSS standard requires password resets on user accounts every 90 days but only if passwords are used as single factor authentication. If my understanding is correct, having a 2FA/MFA policy for all accounts would/should extend this reset cycle. However, I do not find a recommendation on the “new” / extended reset cycle.

Last year I was talking to PCI DSS auditors. I specifically asked about the password policies imposed by the PCI DSS standard and how they were not necessarily aligned with years of research regarding usable security. I zoomed in on the password reset cycle of 90 days. They mentioned that compensating controls could be implemented to increase this 90-day reset cycle.

Perfect, there’s a way to improve the password usability policy, but when I asked if they knew of companies implementing the compensating controls there was silence; similarly, there was silence when I asked how we (industry) should implement these compensating controls.

At this point I don’t have empirical data to show that either: industry solely implements the 90-day reset cycle or industry implements compensating controls to aliviate the short reset cycle. However, I suspect that most companies do not implement these compensating controls. Thus implementing the old 90-day rest-cycle blindly, it’s the easiest way to comply after all, and it’s all about compliance.

Here are the related policies.
Acronyms
CDE - Cardholder Data Environment
CHD - Cardholder Data
SAD - Sensitive Authentication Data

Password reset cycle: it’s important to note the If, p.177 PCI-DSS-v4_0.pdf.

### Defined Approach Requirements 8.3.9 If passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either:
* Passwords/passphrases are changed at least once every 90 days,
OR
* The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.

### Good Practice Passwords/passphrases that are valid for a long time without a change provide malicious individuals with more time to break the password/phrase. Periodically changing passwords offers less time for a malicious individual to crack a password/passphrase and less time to use a compromised password.

Authentication for users and admins: p.171 PCI-DSS-v4_0.pdf

### Defined Approach Requirements 8.3.1 All user access to system components for users and administrators is authenticated via at least one of the following authentication factors:
* Something you: know (password), have (token) or are (biometrics).

### Good Practice A common approach for a malicious individual to compromise a system is to exploit weak or nonexistent authentication factors (for example, passwords/passphrases). Requiring strong authentication factors helps protect against this attack.

Systems and application passwords: p. 188 PCI-DSS-v4_0.pdf

### Defined Approach Requirements
8.6.3 Passwords/passphrases for any application and system accounts are protected against misuse as follows:
* Passwords/passphrases are changed periodically (at the frequency defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1) and upon suspicion or confirmation of compromise.
* Passwords/passphrases are constructed with sufficient complexity appropriate for how frequently the entity changes the passwords/passphrases.

### Good Practice Good Practice
Entities should consider the following risk factors when determining how to protect application and system passwords/passphrases against misuse:
* How securely the passwords/passphrases are stored (for example, whether they are stored in a password vault).
* Staff turnover.
* The number of people with access to the authentication factor.
* Whether the account can be used for interactive login.
* Whether the security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly (see Requirement 8.3.9).
All these elements affect the level of risk for application and system accounts and might impact the security of systems accessed by the system and application accounts.
Entities should correlate their selected change frequency for application and system passwords/passwords with their selected complexity for those passwords/passphrases – i.e., the complexity should be more rigorous when passwords/passphrases are changed infrequently and can be less rigorous when changed more frequently.

Password creation restrictions (see 8.3.6).

References #

Password Usability Research #

[1] Sonia Chiasson and P. C. van Oorschot. [Journal Article] Quantifying the Security Advantage of Password Expiration Policies. Designs, Codes and Cryptography, April:1–8, 2015.

Bibtex

@ARTICLE{chiasson2015desi-expiration, author = {Chiasson, Sonia and van Oorschot, P. C.}, title = {[Journal Article] Quantifying the Security Advantage of Password Expiration Policies}, journal = {Designs, Codes and Cryptography}, year = {2015}, volume = {April}, pages = {1--8}, number = {}, issn={0925-1022}, doi={10.1007/s10623-015-0071-9}, url={http://dx.doi.org/10.1007/s10623-015-0071-9}, note = {Articles}, publisher = {Springer} }

[2] Leah Zhang-Kennedy, Sonia Chiasson, and P. C. van Oorschot. [Paper] Revisiting Password Rules: Facilitating Human Management of Passwords. In APWG eCrime. IEEE, 2016.

Bibtex

@INPROCEEDINGS{zhang-kennedy2016pwdrules-ecrime, author = {Leah Zhang-Kennedy AND Sonia Chiasson AND P. C. van Oorschot}, title = {[Paper] Revisiting Password Rules: Facilitating Human Management of Passwords}, booktitle = {{APWG} e{C}rime}, year = {2016}, note = {Conference Papers}, organization = {IEEE} }