Feature #11047
closed
Add Encryption Password suggestions and Restriction
0%
Description
Hi pfSense DevTeam !
We appreciate You work!
Please add to the
WebUI Services / Auto Configuration Backup / Settings / "Encryption Password" block
AND
Netgate Official Documentation AutoConfigBackup Service / Encryption Password section https://docs.netgate.com/pfsense/en/latest/backup/autoconfigbackup.html#encryption-password
Warning
1. Do not use online password generators (You never know and control who and why may use Your generated password, and binding to Your real IP to this generated password are very easy and potentially create another one vector of hacker attack.)
2. Stay away from the obvious. Never use sequential numbers or letters, and for the love of all things cyber, do not use “password” as your password. Come up with unique passwords that do not include any personal info such as your name or date of birth. If you’re being specifically targeted for a password hack, the hacker will put everything they know about you in their guess attempts. Stay away from obvious dictionary words and combinations of dictionary words. Any word on its own is bad. Any combination of a few words, especially if they’re obvious, is also bad. For example, “house” is a terrible password. “Red house” is also very bad.
3. Do not use directly identifiable information. The ones trying to hack into your accounts may already know personal details such as your birthday, phone number, spouse's name, pet's name, or home address, favorite singer or comic, anniversary, city of birth, high school, and relatives’ and pets’ names, etc... They will use that information as an aid to more easily guess your password.
3. Make password long. This is the most critical factor. Choose nothing shorter than 15 characters, more if possible.
4. Use a mix of characters. The more you mix up letters (upper-case and lower-case), numbers, and symbols, the more potent your password is, and the harder it is for a brute force attack to crack it. Better to have at least 3 symbols in Your password.
5. Including the characters from other language (like Å, Ä, and Ö for example) will significantly increase ability to against to brute forcing.
5. Avoid common substitutions. Password crackers are hip to the usual substitutions. Whether you use DOORBELL or D00R8377, the brute force attacker will crack it with equal ease. These days, random character placement is much more effective than common leetspeak* substitutions. (leetspeak definition: an informal language or code used on the Internet, in which standard letters are often replaced by numerals or special characters.)
6. Don’t use memorable keyboard paths. Much like the advice above not to use sequential letters and numbers, do not use sequential keyboard paths either (like qwerty). These are among the first to be guessed.
7. Doesn’t Rely on Obvious Substitutions: Don’t use common substitutions, either — for example, “H0use” isn’t strong just because you’ve replaced an o with a 0. That’s just obvious.
8. Use a unique password for each separate account or device. If you use the same password across multiple accounts, you could use the most reliable password possible, and if one account is compromised: all of them are. The recommended best practice is to create a strong password ideas list and use it for all your online accounts. Your unique list of passwords should be kept safe.
9. Change Your Passwords Regularly. The more sensitive your information is, the more often you should change your password. Once it is changed, do not use that password again for a very long time.
8. Use a reputable password manager, better with integration to Your favorite browser, great password generator, password change reminder, checking for password re-using, cloud backup and synchronization between Your devices like 1Password (iOS, macOS, Windows, Android).
9. Don’t give your passwords to anyone else. Don’t type your password into your device if you are within plain sight of other people. And do not plaster your password on a sticky note on your work computer. If you’re storing a list of your passwords—or even better, a password hint sheet—on your computer in a document file, name the file something random so it isn’t a dead giveaway to snoopers.
Encryption Password restriction:
1. Must be within 15 and 30 chars limit;
2. Must include 3 (or more) digits;
3. Must include 2 (or more) special symbols;
2. Special symbols { | , ; % ' # % ! ^ = [] () \ / ~ < > } " ? * + & . allowed;
3. Any national languages allowed;
Because NetGate is about security, let to be serious in this. :)
Updated by Sergei Shablovsky over 3 years ago
Sergei Shablovsky wrote:
Warning
1. Do not use online password generators (You never know and control who and why may use Your generated password, and binding to Your real IP to this generated password are very easy and potentially create another one vector of hacker attack.)
2. Stay away from the obvious. Never use sequential numbers or letters, and for the love of all things cyber, do not use “password” as your password. Come up with unique passwords that do not include any personal info such as your name or date of birth. If you’re being specifically targeted for a password hack, the hacker will put everything they know about you in their guess attempts. Stay away from obvious dictionary words and combinations of dictionary words. Any word on its own is bad. Any combination of a few words, especially if they’re obvious, is also bad. For example, “house” is a terrible password. “Red house” is also very bad.
3. Do not use directly identifiable information. The ones trying to hack into your accounts may already know personal details such as your birthday, phone number, spouse's name, pet's name, or home address, favorite singer or comic, anniversary, city of birth, high school, and relatives’ and pets’ names, etc... They will use that information as an aid to more easily guess your password.
3. Make password long. This is the most critical factor. Choose nothing shorter than 15 characters, more if possible.
4. Use a mix of characters. The more you mix up letters (upper-case and lower-case), numbers, and symbols, the more potent your password is, and the harder it is for a brute force attack to crack it. Better to have at least 3 symbols in Your password.
5. Including the characters from other language (like Å, Ä, and Ö for example) will significantly increase ability to against to brute forcing.5. Avoid common substitutions. Password crackers are hip to the usual substitutions. Whether you use DOORBELL or D00R8377, the brute force attacker will crack it with equal ease. These days, random character placement is much more effective than common leetspeak* substitutions. (leetspeak definition: an informal language or code used on the Internet, in which standard letters are often replaced by numerals or special characters.)
6. Don’t use memorable keyboard paths. Much like the advice above not to use sequential letters and numbers, do not use sequential keyboard paths either (like qwerty). These are among the first to be guessed.
7. Doesn’t Rely on Obvious Substitutions: Don’t use common substitutions, either — for example, “H0use” isn’t strong just because you’ve replaced an o with a 0. That’s just obvious.
8. Use a unique password for each separate account or device. If you use the same password across multiple accounts, you could use the most reliable password possible, and if one account is compromised: all of them are. The recommended best practice is to create a strong password ideas list and use it for all your online accounts. Your unique list of passwords should be kept safe.
9. Change Your Passwords Regularly. The more sensitive your information is, the more often you should change your password. Once it is changed, do not use that password again for a very long time.
8. Use a reputable password manager, better with integration to Your favorite browser, great password generator, password change reminder, checking for password re-using, cloud backup and synchronization between Your devices like 1Password (iOS, macOS, Windows, Android).9. Don’t give your passwords to anyone else. Don’t type your password into your device if you are within plain sight of other people. And do not plaster your password on a sticky note on your work computer. If you’re storing a list of your passwords—or even better, a password hint sheet—on your computer in a document file, name the file something random so it isn’t a dead giveaway to snoopers.
This section under spoiler
Encryption Password restriction:
1. Must be within 15 and 30 chars limit;
2. Must include 3 (or more) digits;
3. Must include 2 (or more) special symbols;
2. Special symbols { | , ; % ' # % ! ^ = [] () \ / ~ < > } " ? * + & . allowed;
3. Any national languages allowed;
This section - always visible on a WebUI
Updated by Jim Pingle over 3 years ago
- Tracker changed from Documentation to Feature
- Category changed from Web Interface to Backup / Restore
- Status changed from New to Rejected
That is way too much text to add to the GUI. There is a help link if anyone wants to follow it. Maybe a small note with a link to the docs could be considered but nothing this huge is warranted for that field.
Please post your suggestions on the forum for discussion before creating them here.
Updated by Sergei Shablovsky over 2 years ago
Jim Pingle wrote in #note-2:
That is way too much text to add to the GUI. There is a help link if anyone wants to follow it. Maybe a small note with a link to the docs could be considered but nothing this huge is warranted for that field.
Please post your suggestions on the forum for discussion before creating them here.
What about not in GUI but in Documentation ?
Last year was fulled by security issues because a lot of peoples goes work remotely. Agree?
Updated by Sergei Shablovsky 3 months ago
Sergei Shablovsky wrote in #note-3:
Jim Pingle wrote in #note-2:
That is way too much text to add to the GUI. There is a help link if anyone wants to follow it. Maybe a small note with a link to the docs could be considered but nothing this huge is warranted for that field.
Please post your suggestions on the forum for discussion before creating them here.
What about not in GUI but in Documentation ?
Last year was fulled by security issues because a lot of peoples goes work remotely. Agree?
Jim Pingle wrote in #note-2:
That is way too much text to add to the GUI.
But what about adding only LAST SECTION:
*Encryption Password restriction:
1. Must be within 15 and 30 chars limit;
2. Must include 3 (or more) digits;
3. Must include 2 (or more) special symbols;
2. Special symbols { | , ; % ' # % ! ^ = [] () \ / ~ < > } " ? * + & . allowed;
3. Any national languages allowed;
*
There is a help link if anyone wants to follow it. Maybe a small note with a link to the docs could be considered but nothing this huge is warranted for that field.
Because pfSense become one of the leader software for FWs, REASONABLE AND NEEDED to make separate page about password creating (and management in general).
Please post your suggestions on the forum for discussion before creating them here.
Have no reason: You personally know that in nowadays peoples start to learn and how to care about passwords ONLY after some troubles happened.
But anyway separate page about "Passwords creating rules and passwords management" could pushing (and remaining) pfSense users take more attention to this. Even 1 person from 100 users follow this rules - that would be small victory. Isnt it ?