BLOG HOME > Auditor Tips > Auditor Tips: Requirement 8: Use Unique ID Credentials

Auditor Tips: Requirement 8: Use Unique ID Credentials

*This article was taken from our PCI Guide. For more information on this topic, download our free PCI Guide.

Get Started with PCI Compliance

Start Here

Requirement 8 is all about having unique ID information. For example, you must have your own unique ID credentials and account on your systems and devices so that you can prove with audit log files who committed the error or malicious action. With a shared account a malicious user could simply blame the other users that use the same account.

As a system administrator, best practice is to have a regular account that is used for day-to-day work on your portable device and a different administrative account when performing administrative functions on the systems you manage.

Do not use generic accounts,shared group passwords, orgeneric passwords.

Security professionals recognize that passwords are no longer sufficient to secure data. While passwords are still required, they simply are not secure enough. You must set strong, long passwords.If you use a passphrase be sure to include words from various foreign languages, this will make a brute force attacker have to use multiple dictionaries rather than just one, which increases the time to crack the passphrase substantially.

An easy way to remember complex and long passwords is by using passphrases. Passphrases are groups of words with spaces in between (e.g., “Boba Fett in 1983 ROJ was WAY better than 2022 BoBF!”). A passphrase can contain symbols and upper- and lower-case letters. It doesn’t have to make sense grammatically. Passphrases are generally easier to remember but more difficult to crack than shorter passwords.

In addition to strong passphrases, password manager software canhelp you use different passwords for all of your accounts.

Get my free SecurityMetrics PCI Guide

Download Now

You need different passwords for different services so that if one service gets compromised the attacker is unable to access other services with those credentials.

If your email account password is compromised and you use the same password across several devices, or even use that email address to receive the reset password emails from several websites, you have a major security problem on your hands.

Something to be aware of with brute force attacks is the latency difference between an error that has a valid username and one that does not. If the response has more or less latency than a normal username error response, then the attacker will know that username is likely a valid username. Next the attacker will try to brute force the password of that newly discovered user account. So it’s good practice to make all authentication errors respond with the same latency.

Another practice to consider is having a company managed password wallet that the company controls in order to ensure compliance with periodic password changes, length, and complexity policies for their employees.

Michael Maughan (CISSP, QSA)

Join Thousands of Security Professionals and Subscribe