Election Security Spotlight – Passwords
What it is
Passwords are a critical yet basic authentication mechanism in information security that consists of a combination of alphabetic, numeric, and/or symbolic characters. This combination of characters acts as an access control to authenticate a user to a restricted account, application, or system. Most commonly, passwords are associated with a username, which when grouped together are referred to as login credentials. Notably, passwords are referred to as passphrases when containing only words and as passcodes when containing only numbers (e.g., Personal Identification Numbers or “PINs”).
Why does it matter
Stolen or exposed login credentials may grant malicious actors unauthorized access to sensitive election infrastructure, which could lead to strategic voter impersonation, electoral tampering, email access, malware infections, or website defacements. Passwords that are unchanged, including default software passwords, are weak in complexity, or that are used across more than one platform, significantly increase the likelihood of theft or exposure by malicious actors. For example, default passwords are often readily available in online user manuals or other publically accessible documents, which allows anyone with knowledge of them to gain access to an account, application, or system that maintains that default password. Weak complexity increases the likelihood malicious actors can guess the password with automated tools. Additionally, malicious actors often use exposed passwords to attempt to gain access to other accounts used by the same person, because many users reuse the same password. The EI-ISAC observes default, weak, and reused passwords acting as some of the primary catalysts driving the theft and abuse of login credentials.
What you can do
Evaluate your office to see if the National Institute of Standards and Technology’s (NIST) password recommendations in Special Publication 800-63B, Section 220.127.116.11 fit your operating environment. If you are unable to fully follow NIST’s recommendations due to budgetary or technological constraints, consider implementing a password policy that establishes a standard for the creation, maintenance, and storage of strong and unique passwords. The policy may include user, organizational, and technical based recommendations.
- Do not reuse passwords across multiple platforms, systems, or software. This includes never using the same login credentials for work and personal use.
- Never use personal information, such as your name, children's names, dates of birth, etc. that someone might already know or can easily obtain.
- Passwords should have at least 14 characters and include uppercase and lowercase letters, numbers, and symbols.
- Change the default password on all accounts, applications, and systems.
- Educate employees on password reuse and enforce minimum standards for passwords such as length, complexity, and age.
- If available, enable multi-factor authentication in accordance with Best Practices 24 and 25 of the CIS’ Handbook for Elections Infrastructure Security.
- Store all passwords using salting and hashing functions and do not store passwords using reversible encryption.
- Set login thresholds to 10 or fewer invalid login attempts and require at least 15 minutes between account lockout and password reset. Log and monitor all login attempts.
- Maintain a password history to prevent users from reusing any password used in the last year. CIS recommends preventing users from using any of the last 24 passwords.
For more comprehensive recommendations and technical insight on this topic, please see the MS-ISAC’s Security Primers on Exposed Credentials and Securing Login Credentials, as well as the United States Computer Emergency Readiness Team’s (US-CERT) Security Tip on Choosing and Protecting Passwords.
The EI-ISAC regularly monitors the Internet for stolen credentials using open source datasets from various security organizations and researchers, as well as information received from trusted partners. To subscribe to this service, simply provide your IP addresses and domains to firstname.lastname@example.org.
The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact email@example.com.