5.6.5. Password Concepts and Privileged Access Management

💡 First Principle: Passwords remain the most common authentication method despite their weaknesses. Password policies balance security with usability — overly complex requirements lead to written-down passwords. Privileged Access Management (PAM) adds extra controls for the accounts that can do the most damage.

Password best practices:

• Length over complexity — a 16-character passphrase is more secure and memorable than an 8-character complex password. NIST recommends length-based policies over complexity requirements.
• Password managers — generate and store unique, strong passwords for every account. Eliminate password reuse and simplify authentication.
• No password hints — hints reduce the effective security of the password by providing clues to attackers.
• No periodic forced rotation — NIST now recommends against mandatory periodic password changes (they lead to predictable patterns like "Password1, Password2..."). Change passwords when compromise is suspected.

Privileged Access Management (PAM):

• Just-in-time permissions — administrative access granted only when needed and automatically revoked after a defined period. Eliminates standing privileges.
• Password vaulting — privileged passwords stored in an encrypted vault, checked out for use, and automatically rotated after each session.
• Ephemeral credentials — temporary credentials that expire automatically. Reduces the window of exposure if credentials are compromised.
• Session monitoring — recording privileged sessions for audit and forensic purposes.

Service account management — service accounts (used by applications and automated processes rather than humans) present unique risks because they often have broad permissions, can't use MFA, and their passwords rarely get rotated. Best practices: use managed service accounts where the platform handles password rotation automatically, restrict service accounts to specific source IPs and schedules, monitor for interactive logon (service accounts should never log in interactively), and use group managed service accounts (gMSAs) in Active Directory environments where password management is handled automatically by the domain.

⚠️ Exam Trap: NIST no longer recommends forced periodic password rotation. The current guidance is: require strong passwords (length ≥ 8, ideally 16+), check against known-breached password lists, and only force changes when compromise is suspected. If a question presents periodic rotation as best practice, look for a more current answer.