Password Security: কর্পোরেট ডেটা সুরক্ষিত রাখতে শক্তিশালী পাসওয়ার্ড নীতিমালা!

Password security এর foundation NIST Special Publication 800-63B এ described। 2017 এ revised এই guideline traditional password policies এ revolutionary changes এনেছে। মূল recommendations: minimum 8 characters (memorized secrets), maximum 64+ characters allowed, all printable ASCII characters allowed। Crucially: no composition rules (must contain uppercase, lowercase, numbers, special characters - এগুলো recommended না)। No mandatory periodic rotation (regular forced changes encourage weak patterns)।

কেন এই changes? Research দেখায় forced rotation এ users predictable patterns adopt করে (Password1 → Password2 → Password3)। Complex requirements actual security improve করে না কিন্তু usability hurt করে। Long passphrases short complex passwords থেকে stronger।

Password Strength entropy দিয়ে measured। Entropy bits এ measured - এটি indicates কত possible passwords আছে। 8-character random password (mixed case + numbers + symbols) প্রায় 52 bits entropy। 4-word random passphrase ("correct horse battery staple") প্রায় 44 bits কিন্তু memorable এবং usable।

Password Hashing critical concept। Plain text passwords storage criminal negligence। Modern hashing algorithms: bcrypt (Niels Provos, 1999, still excellent), scrypt (memory-hard), Argon2 (winner of Password Hashing Competition 2015, current best), PBKDF2 (NIST-approved for compliance)।

MD5, SHA1, SHA256 (unsalted) passwords এর জন্য catastrophically insecure। Modern GPUs trillions of these hashes per second compute করতে পারে। Salting (each password unique random salt) rainbow table attacks prevent করে। Pepper (server-side secret added to hash) additional layer।

Common Password Attacks: Brute Force (try all combinations), Dictionary Attack (try common words), Hybrid Attack (dictionary + variations), Credential Stuffing (use leaked credentials from other sites), Password Spraying (try common passwords across many accounts), Phishing (trick users into providing), Keyloggers (capture keystrokes)।

Credential Stuffing massive concern। Have I Been Pwned database 12+ billion accounts include করে। Users প্রায়শই same password multiple sites এ ব্যবহার করে। Automated tools (Sentry MBA, OpenBullet) low-effort attack enable করে।

Multi-Factor Authentication (MFA) password security এর strongest single enhancement। Microsoft research দেখায় MFA 99.9% automated attacks block করে। MFA factors: Something you know (password), Something you have (phone, hardware token), Something you are (biometrics)।

MFA Methods Hierarchy (strongest to weakest): FIDO2/WebAuthn (phishing-resistant hardware keys), Smart cards, Authenticator apps (TOTP), Push notifications (with number matching), SMS/voice (vulnerable to SIM swapping)।

Password Managers modern essential tool। Generate strong unique passwords for every site। Encrypt vault with master password। Cross-device synchronization। Auto-fill credentials securely। Examples: 1Password, Bitwarden (open source), Keeper, LastPass (despite past incidents), Dashlane, Apple iCloud Keychain, Google Password Manager।

Enterprise Password Managers special features: SSO integration, admin controls, audit logs, shared vaults, breach monitoring। 1Password Teams, Bitwarden Enterprise, Keeper Business widely used।

Passwordless Authentication emerging trend। FIDO2/WebAuthn allow login without passwords using cryptographic keys। Passkeys (sync FIDO2 credentials across devices) gaining adoption। Microsoft, Apple, Google all support।

Biometric Authentication: Fingerprint, face recognition, iris scanning। Convenient but considerations: biometrics can't be changed if compromised, false positive/negative rates, accessibility issues।

Password Reset Mechanism কুখ্যাত vulnerability surface। Secret questions guessable। Email-based reset depends on email security। SMS-based reset SIM swapping vulnerable। Modern approach: multiple verification factors, anomaly detection, secure email/phone control verification।

Password security এর বাস্তব ঘটনা শিক্ষামূলক। 2012 এর LinkedIn breach এ 167 million accounts compromise হয়েছিল। Passwords unsalted SHA1 hashes ছিল। Within days, 90% passwords cracked। This incident industry-wide bcrypt adoption এ catalyst ছিল।

2013 এর Adobe breach এ 153 million users affected। Passwords were encrypted (not properly hashed) with Triple DES in ECB mode। Password hints (in plain text) made cracking easier। "12345" এর hint হিসেবে "easy 5" - laughable but tragic।

2016 এ Yahoo announced 2014 breach affecting all 3 billion accounts (largest breach ever)। MD5 hashes used। Security questions and answers compromised। Years of users' digital lives exposed।

2021 এ Facebook (now Meta) saw 533 million accounts data leaked। Passwords not directly included but extensive profile data enabled targeted attacks।

Credential Stuffing real-world impact: 2018 Dunkin' Donuts attack, 2019 Disney+ launch incidents, 2020 Nintendo accounts compromise। প্রতিটি case এ users had reused passwords from other breaches।

Corporate password breach scenarios: 2020 Twitter Bitcoin scam - employees with privileged access social engineered। 2022 Uber breach - contractor's credentials phished। 2023 Cisco breach - VPN credentials compromised।

বাংলাদেশের একটি বড় e-commerce platform এর password incident বিবেচনা করা যাক। 2022 এ একটি database breach detected হয়। Investigation revealed: passwords MD5 hashed (no salt), top 100 passwords accounted for 30% of user base, "123456" most common (10% users), "password" দ্বিতীয় most common।

Recovery actions: forced password reset for all users, MD5 to Argon2 migration, mandatory MFA for accounts with previous orders, password manager subsidization (employees), security awareness campaign।

Internal corporate password study (anonymized real organization, ৫,০০০ employees): 75% of users had password reuse across multiple corporate systems। Password "Companyname2023!" used by 47 different employees independently। Service accounts hadn't been rotated in 5+ years। ৪০% of admin passwords were variants of "Admin2022", "Admin2023" etc.

Modern attack scenario: Phishing email sent to finance team। Realistic email mimicking Microsoft 365 password expiration warning। User clicks link, enters credentials on attacker-controlled site। Credentials immediately tested via automation। MFA absent for this user। Within minutes attacker accesses email account।

Email contains: bank account changes templates, vendor payment information, executive correspondence styles। Attacker uses this intelligence for Business Email Compromise (BEC) - sending fraudulent invoice from real-looking email account। $2.3M fraudulent transfer initiated, partially recovered।

This entire chain prevented by: phishing-resistant MFA (FIDO2), unique password (couldn't be reused elsewhere), email security gateway (better phishing detection), user training (recognized signs)।

Password manager success story: An IT director at a manufacturing company implemented 1Password for Business across 800 employees। 6 months later: phishing simulation success rate dropped from 27% to 4% (users couldn't easily type passwords on fake sites), password reset tickets reduced 70%, shared credential security improved drastically।

Healthcare scenario: Hospital with strict password rotation policy (every 60 days) experiencing constant productivity loss। Staff using predictable patterns। Sticky notes proliferating। Migration to NIST-aligned policy (no forced rotation, MFA mandatory, password manager provided) actually improved security while reducing friction।

University faculty case: Compromised account discovered through breach detection service। Email had been used for academic publishing - same password as personal email and academic system। Attacker had access for 6 months, exfiltrating research data। Aftermath: institution-wide password manager deployment, mandatory MFA, dark web monitoring।

Financial services case: A regional bank discovered through dark web monitoring that 150+ employee email/password combinations were available on criminal forums। Investigation revealed: shadow IT (employees using corporate emails on third-party sites), password reuse from those sites। Response: immediate password reset for affected accounts, mandatory password manager, dark web monitoring continuous, security awareness emphasis।

Insider threat scenario: Disgruntled employee leaves, but they had memorized passwords for several systems। 6 months later, malicious activity from former employee account। Lesson: passwords should be reset on offboarding, ideally privileged access never directly held by individuals (PAM solution)।

Modern positive example: A tech startup launched with passwordless authentication from day one। FIDO2 keys for all employees। Customer-facing app supports passkeys। No password-related breaches in 3 years operation। Reduced support burden significantly।

Modern password security policies designing complex but critical। NIST 800-63B aligned policy এর key components:

Password Requirements (Modern Approach): Minimum 8 characters (12-15 recommended for sensitive accounts), No composition rules (don't require special characters), Allow all printable ASCII and Unicode, Check against breach databases (Have I Been Pwned API), Check against common password dictionaries, No security question requirement (banned by NIST)।

What NOT to require: Forced periodic rotation (only on suspicion of compromise), Specific composition rules (uppercase + lowercase + number + symbol), Password hints, Knowledge-based authentication (KBA) as primary factor।

Password Storage Standards: Argon2id preferred (winner of Password Hashing Competition), bcrypt acceptable (work factor 12+ for new implementations), PBKDF2 acceptable for compliance (100,000+ iterations), MD5/SHA1/SHA256 (unsalted) absolutely prohibited।

Each password unique salt (16+ bytes random), Pepper (server-side secret) recommended for high-value applications, Hash function work factor tuned to system capability (target ~250ms hashing time)।

Authentication System Requirements: Rate limiting (5 failed attempts → temporary lockout), Account lockout policy (consider DoS implications), Anomaly detection (impossible travel, new device), Notification of access events (login from new location, password change)।

Multi-Factor Authentication Implementation: MFA mandatory for ALL accounts (especially privileged and customer-facing), Phishing-resistant MFA for privileged accounts (FIDO2/WebAuthn), Authenticator apps preferred over SMS, Hardware tokens for highest security (YubiKey, Titan, Feitian), Backup recovery codes printed/secured।

MFA Bypass Prevention: Disable insecure recovery methods (SMS for resets), Require MFA for MFA changes, Implement Conditional Access policies (location, device, risk based)।

Password Manager Deployment: Enterprise license for all employees, Centralized policy management, Forced unique passwords for corporate accounts, Personal/work vault separation, Security key support। Bitwarden Enterprise, 1Password Business cost-effective enterprise options।

Single Sign-On (SSO) implementation: Reduce password proliferation। SAML, OIDC integration with corporate IdP। Microsoft Entra ID, Okta, Auth0, Google Workspace common solutions। Significant security improvement when combined with MFA।

Privileged Access Management for highest-risk accounts: Discussed in detail in separate article। Password vaulting, session recording, JIT access, automatic rotation। CyberArk, BeyondTrust, Delinea solutions।

Service Account Management: Often overlooked vulnerability source। Long passwords (40+ characters), automated rotation through secrets management, no human knowledge of actual passwords, regular review and cleanup of unused accounts।

User Education essential complement to technology। Topics: Password manager use (overcoming resistance), Phishing recognition, MFA importance, Reporting suspicious activity, What to do if compromise suspected।

Training Methods Effective: Interactive simulations, gamification, real-world breach examples, regular reminders (not just annual training), executive examples (leadership modeling good behavior)।

Phishing Simulations regular: KnowBe4, Proofpoint, Microsoft Attack Simulator। Track click rates, improve over time। Combine with immediate education (not punishment) when users fail।

Breach Monitoring Services: Have I Been Pwned for free monitoring, Spycloud, Recorded Future for advanced enterprise monitoring, Microsoft Defender for Identity built-in capabilities। Continuous monitoring vs point-in-time scans।

Incident Response for Compromised Passwords: Immediate password reset, MFA verification, session termination across all devices, audit log review (extent of compromise), notification of affected users, root cause analysis (how compromise occurred), policy/control updates।

Vendor Risk Management: SaaS vendors handle your credentials when SSO unavailable। Assess vendor security posture। SOC 2 reports, breach history, security architecture। Contract requirements for password security।

Industry-Specific Considerations: Financial services - NIST CSF, PCI DSS strict requirements। Healthcare - HIPAA Administrative Safeguards। Government - FedRAMP, FISMA। Critical infrastructure - sector-specific requirements।

Compliance Mapping: PCI DSS 8.3 (MFA for non-console admin access)। HIPAA 164.308(a)(5)(ii)(D) (password management procedures)। SOX (financial systems access)। GDPR Article 32 (technical and organizational measures)।

Passwordless Future Planning: Begin pilots with FIDO2 hardware keys, Evaluate passkeys for customer-facing applications, Plan migration strategy (passwordless as MFA factor initially), User experience design critical for adoption।

Monitoring Metrics: Password reset request rate (lower is better), MFA enrollment percentage (target 100%), Phishing simulation click rate (decrease over time), Account takeover incidents (track and reduce), Breach detection time।

Operational Considerations: Help Desk procedures for password issues, Self-service password reset (with strong identity verification), Account recovery for lost MFA factors, Travel exceptions (foreign country access)।

Privacy and Legal: Local laws regarding password disclosure (US v UK differences), Employee monitoring transparency, Personal vs work account boundary, Termination procedures।

Communication Strategy: Why are we changing (clear rationale), What's changing (specifics), How to adapt (training, support), When (timelines), Who to ask (support channels)।

Future-Proofing: Quantum computing threats to current hash algorithms (decades away but plan), Post-quantum cryptography research, AI-powered phishing increasing sophistication, Continuous behavior-based authentication।

Common Mistakes: Implementing complexity without breach checking, MFA optional for non-privileged users, Old password policies (forced rotation) maintained, Ignoring service accounts, Excluding executives from policies।