{"id":585,"date":"2020-04-19T18:20:41","date_gmt":"2020-04-19T18:20:41","guid":{"rendered":"http:\/\/www.pcidssguide.com\/?p=585"},"modified":"2023-10-09T13:45:04","modified_gmt":"2023-10-09T13:45:04","slug":"what-are-the-pci-dss-password-requirements","status":"publish","type":"post","link":"https:\/\/pcidssguide.com\/what-are-the-pci-dss-password-requirements\/","title":{"rendered":"What Are the PCI DSS Password Requirements?"},"content":{"rendered":"\n\n\n\n\n
Passwords are essential for computer protection and payment data. However, they need to be updated frequently to be robust and efficient. Manufacturer defaults and weak passwords are a common source of security breaches.<\/p>\n\n\n\n
PCI compliance requirements for passwords required by the PCI Data Security Standards (PCI DSS) are explicitly set out in PCI DSS Standards Requirement 8<\/a>.<\/p>\n\n\n\n To protect against password-related threats, PCI DSS requires passwords to comply with the following conditions:<\/p>\n\n\n\n Password requirements for PCI DSS compliance are relatively straightforward and easily set with today’s directory service, such as Active Directory. For other systems that do not use a directory service for authentication, it is essential to create passwords with the above basic parameters to help protect the cardholder data environment.<\/p>\n\n\n\n The first specific guidelines on passwords in PCI DSS are about removing passwords, especially third-party automatically generated default passwords for users.<\/p>\n\n\n\n Most of the time, hardware and software are shipped with default user accounts enabled. These accounts use a common username and password such as “USER” and “PASSWORD” to facilitate easy access.<\/p>\n\n\n\n While these accounts are intended to be reconfigured by users as soon as possible, there are several reasons why a user might fail to do so immediately, making them a prime target for hackers and other cybercriminals.<\/p>\n\n\n\n Therefore, all automatically generated passwords and accounts must be removed before installing or integrating a device or system into the more comprehensive network. Changing default accounts and passwords is the main focus of the PCI second requirement. Subsections within parameters determine where and how this rule is applied for various account types and authentication.<\/p>\n\n\n\n Where PCI DSS sets the full-fledged password policy is in PCI DSS requirement 8.<\/p>\n\n\n\n PCI requirement eight specifies parameters for the planning and execution of the entire authentication system, not just passwords. This includes everything the user encounters, from IDs and passwords to other login elements like crashes and error messages. It also includes areas outside of user visibility, such as the storage and internal processing of accounts.<\/p>\n\n\n\n The most critical parts of PCI DSS requirement eight can be summarized as follows:<\/p>\n\n\n\n These sub-requirements, when taken together, form the heart of the PCI DSS password policy, which dictates how passwords should be used to ensure PCI compliance. These standards provide a consistent minimum level of cybersecurity and password policy across all PCI-compliant companies.<\/p>\n\n\n\n As long as the controls satisfy the PCI password policy, PCI DSS permits it to incorporate controls other than those established in the PCI standard, such as those defined by the National Institute of Standards and Technology Special Publication (NIST) 800-63<\/a>. <\/p>\n\n\n\n For the use of memorized secrets, such as PINs and passwords to validate digital identity, NIST SP 800-63 provides requirements, recommendations, and guidance.<\/p>\n\n\n\n When a password is not complex enough, it is much easier for an attacker to access a system. An attacker can perform a brute force attack by making multiple password attempts through an automated tool that will enter thousands of passwords in seconds until someone runs.<\/p>\n\n\n\n The PCI DSS standard requires passwords to contain at least seven characters in uppercase and lowercase letters. Other instructions suggest including long passwords, numbers, and special characters. Using password cracking software, passwords that fall below specific standards can be easily cracked.<\/p>\n\n\n\n The longer the password and the greater the combination of characters, the harder it would be for an attacker to break the password in operation.<\/p>\n\n\n\n Part of the authentication process involves passwords, but unfortunately, passwords also bring problems. The main problem with passwords is that brute force and dictionary attacks crack them relatively quickly. Programs like John the Ripper and L0phtCrack can quickly crack complex passwords.<\/p>\n\n\n\n Human nature also allows vulnerable passwords. Employees prefer to choose passwords that they can recall quickly and passwords that a data thief can easily guess through social engineering. Most staff still prefer to type in passwords and even share them with others for convenience.<\/p>\n\n\n\n Unfortunately, many companies don’t know how easily cybercriminals can crack a password. Especially if it is a widely used password, attackers get results much faster. As a result, you can find lousy password apps below:<\/p>\n\n\n\n So how can you be sure you have secure passwords? Here are a few essential apps you can implement.<\/p>\n\n\n\n Using various passwords for different services is important. That way, you cannot use the same credentials to access information from other services if a service is compromised.<\/p>\n\n\n\n Employees often exchange passwords as they share their username, which means their credentials are no longer private. Shared accounts become even more vulnerable to social engineering attacks. When a group of people shares similar credentials, companies cannot distinguish exactly who is performing a particular action in their systems.<\/p>\n\n\n\n Ensure your employees do not use the same usernames or passwords and do not share them. Most companies create a numeric username that has no relation to the user’s real name. For example, the administrator’s username should be replaced with a username that does not specify the administrator.<\/p>\n\n\n\n The longer your password is, the better. Longer passwords are more difficult to crack as larger encryption keys are more difficult to crack. PCI DSS recommends that businesses have passwords of at least eight characters, but passwords of 10-15 characters or more are generally recommended.<\/p>\n\n\n\n It would be best if you also made passwords even more complex by using a combination of numbers, symbols, and letters.<\/p>\n\n\n\n PCI DSS requirement 8 requires accounts to be locked out after six consecutive login attempts. Accounts must remain locked for 30 minutes or until the account is reset by a system administrator. The account locking measure helps avoid many types of brute force attacks.<\/p>\n\n\n\n When an attacker has only six chances to guess the correct answer, their attempt is likely to fail. When accounts are locked, attackers will go to an easier target.<\/p>\n\n\n\n Set your employees to try to log into a system multiple times. After several unsuccessful sign-in, let the account lockout whoever is trying to get in. This way, you avoid brute force attacks and attempts by social engineers to guess passwords.<\/p>\n\n\n\n Attackers use easily guessable passwords because many people still use quickly guessing passwords. A strong password must contain seven or more characters, a mixture of upper and lower case letters, numbers, and symbols (such as! @ # $ & *).<\/p>\n\n\n\n Hackers can use the default, common, or leaked passwords to get into your network. Out-of-the-box computer equipment and applications, including payment terminals, come with default passwords such as “password” or “admin,” commonly known to criminals.<\/p>\n\n\n\n Businesses must securely change these default passwords to reduce the risk of being compromised, and they should never be shared as each employee must have their login ID and password.<\/p>\n\n\n\n Nowadays, people don’t stop using their favorite sport as a password. The top ten commonly used passwords list are as follows:<\/p>\n\n\n\n None of these passwords are secure because they are straightforward to guess, too simple, or depend on the keyboards’ models. Hackers are well versed in these lists and often use them as a first step to crack your password. You can change them as soon as possible if any of your passwords are on this list.<\/p>\n\n\n\n The best practice is to create a unique password. Some other standard password rules you can apply are as follows:<\/p>\n\n\n\n It should be noted that you cannot wholly trust strong passwords. A password does not protect data completely. It would be best to have a combination of multi-factor authentication, encryption, and other protocols to keep your data safe.<\/p>\n\n\n\n PCI DSS password requirements provide the minimum level of complexity and power expected to be met by any organization using various technologies. PCI SSC also encourages organizations to implement stricter controls or additional security measures to meet security needs as needed.<\/p>\n\n\n\n When users have to generate and remember complex passwords too often, they tend to use repetitive patterns and save them in vulnerable ways that create new vulnerabilities. It is recommended that organizations go beyond the PCI DSS password requirements to ensure an appropriate security level.<\/p>\n\n\n\n PCI DSS allows organizations to implement alternative controls to those defined in the standard, provided that PCI DSS requirements are met. When evaluating alternative methods, it is necessary not to consider individual suggestions alone but to apply all recommendations as a complete collection of controls.<\/p>\n\n\n\n If you are trying to meet your PCI DSS requirements, you must comply with the PCI DSS’s password requirements. However, you can apply the following additional controls to strengthen your protection:<\/p>\n\n\n\n Many companies are starting to use password phrases instead of passwords to strengthen personal and commercial data protection. Although passwords are strings of about ten letters, numbers, and symbols, passwords are groups of words with spaces between them.<\/p>\n\n\n\n Pass and Take $ 100 – P@$$andTake$100<\/p>\n\n\n\n Passwords can contain symbols, upper and lower case letters and do not have to be grammatically meaningful. Passwords usually are easier to remember but more difficult to crack than passwords.<\/p>\n\n\n\n Details about passwords and passphrases can be found below:<\/p>\n\n\n\n User-generated passwords also have limits. You can reduce your exposure by checking user passwords against a compromised password list. You can use the 100,000 most compromised passwords list or use online resources to create your password blacklist.<\/p>\n\n\n\n Suppose you’re looking for a more comprehensive list without having to compile your password. In that case, you can use a third-party password filtering service that includes billions of stolen passwords and is regularly updated with new leaked passwords.<\/p>\n\n\n\n If you do not currently have a mechanism for checking compromised passwords, you should scan your database for weak or leaked passwords. It is essential to examine the database and find out which accounts are using weak or blacklisted passwords.<\/p>\n\n\n\n System protection should not rely solely on the strength of a single password. Both passwords should not be considered unbreakable. Therefore, the implementation of multi-factor authentication is vital in protecting remote access, which is a requirement under PCI DSS.<\/p>\n\n\n\n\n
Password Policy Details in PCI DSS Requirement 2<\/strong><\/h2>\n\n\n\n
Password Policy Details in PCI DSS Requirement 8<\/strong><\/h2>\n\n\n\n
\n
How to Set Strong Passwords?<\/strong><\/h2>\n\n\n\n
\n
Set unique credentials and change default passwords<\/strong><\/h3>\n\n\n\n
It would be best if you also changed all default passwords for devices and apps.<\/strong><\/h3>\n\n\n\n
Have limited login attempts with lockout rules<\/strong><\/h3>\n\n\n\n
What is a Strong Password?<\/strong><\/h2>\n\n\n\n
How to Create a Strong Password?<\/strong><\/h2>\n\n\n\n
\n
\n
How Can You Upgrade the PCI DSS Password Requirements?<\/strong><\/h2>\n\n\n\n
Use PassPhrases<\/strong><\/h3>\n\n\n\n
\n
Use Password Blacklist<\/strong><\/h3>\n\n\n\n
Monitor User Passwords<\/strong><\/h3>\n\n\n\n
\n
Implement Multi-Factor Authentication<\/strong><\/h3>\n\n\n\n