• Traditional: Length + complexity (upper/lower/symbol); aging (90-day rotation); history (prevent last 12)
• Modern (NIST/NCSC): Longer > Complex; no forced rotation unless breached; block common/known-bad passwords; accept spaces/passphrases; reduce help desk resets
• Reuse: Never across work/personal; unique per site
• Managers: Encrypted vaults (Bitwarden, 1Password); autofill prevents phishing; master password becomes single point of failure
• DAC (Discretionary): Data owner decides access (Windows file permissions); flexible, hard to audit
• MAC (Mandatory): System-enforced labels (Classified/Secret/Top Secret); rigid, government/military
• RBAC (Role-Based): Access via job function (Nurse, Doctor, Admin); Security Groups simplify mass assignment
• Rule-Based: Conditions determine access (firewall ACLs, time-based); often combined with RBAC (RBAC + time restrictions)
• Admin Separation: Standard user + separate privileged account; no email/browsing on admin accounts
• SAW (Secure Admin Workstation): Dedicated hardened endpoint for admin tasks; isolated from internet
• Ephemeral Passwords: Just-in-Time (JIT) credentials; auto-rotate after use; credential vaults (CyberArk, BeyondTrust)
• Elevation: UAC (Windows), sudo (Linux); Just-Enough Access (JEA): Specific cmdlet/command elevation, not full admin rights
• Passwordless: FIDO2/WebAuthn standard; eliminates shared secrets (phishing-resistant); uses device-bound private keys
• MFA: Something you know/have/are/biometric; TOTP (Time-based One-Time Pass): Software tokens (Google Authenticator) – vulnerable to phishing/real-time MITM
• Hardware Authenticators: FIDO2 security keys (YubiKey), smart cards (PIV/CAC), OTP fobs; resistant to replay attacks; FIDO2 uses public-key cryptography per site
• Biometrics:
– Factors: Cost (readers), Privacy (template storage), Accessibility (injury/age), Throughput (speed of queue)
– Type I Error (False Reject): Valid user denied; Type II Error (False Accept): Invalid user accepted
– Face: Contactless, 2D/3D spoofing risk; Fingerprint: Friction ridge, latent print risks, capacitive vs optical
• Least Privilege: Minimum rights to complete task; Authorization Creep (privilege accumulation over time) requires periodic review/recertification
• Provisioning/Deprovisioning: Automated onboarding/offboarding; orphaned accounts = risk; deprovisioning must revoke all access immediately
• Contextual Policies:
– Location: Geo-blocking, trusted network zones
– Time: Business hours restrictions
– Impossible Travel: Login NYC then London 1 hour later = compromised account
• Directory Services: Central identity repository; X.500 standard, LDAP (Lightweight Directory Access Protocol) for queries
• Active Directory (AD): Microsoft implementation; Kerberos authentication, Group Policy, domains/forests
• SSO: Single sign-on via token/cookie; reduces password fatigue; risk = keys to kingdom
• Kerberos: Ticket-based auth (TGT for session, service tickets for resources); mutual authentication; time-sync critical (Kerberos 5 current)
• Federation: Trust between orgs; SAML (Security Assertion Markup Language): XML-based SSO for web apps; OAuth 2.0: Authorization framework (scoped access, "Login with Google"); OpenID Connect (OIDC) identity layer on OAuth
Quick Distinctions: SAML = Enterprise SSO (XML); OAuth = API authorization (tokens); Kerberos = Internal network tickets; MAC labels vs RBAC roles vs DAC owner discretion