The First Line of Defense
Password authentication is a routine part of our everyday lives. We use passwords in our personal lives to open garage doors, login at work, check email or grab cash from an ATM. According to the federally funded Computer Emergency Response Team / Coordination Center (CERT/CC):
“80% of all network security problems are caused by bad passwords; therefore, good passwords are the simplest and most important part of information security.”
What’s in a Word
Sometimes, the language we use can be deterministic. For example, the use of the word “password” implies that you can’t use a space. On the other hand, if we think in terms of a “passphrase” that allows spaces we create much stronger authentication than a complex 8-character password.
Consider the passphrase “I like chocolate!” This is a 17-character phrase that is significantly easier to type (and remember) than an 8-character password of “hU*4M%2g” – not to mention infinitely more secure. In fact, the best advice for a Microsoft Windows passphrase is to be sure it is at least 15 characters long… just remember to stop before you get to 127 characters.
Password Cracking 101
Cracking passwords is all about math. The more possible combinations of characters the longer it will take to crack. It’s not about being “uncrackable.” It’s about being improbable. Given enough time and resources, however, any password can be cracked. The table below should give you some insight as to why a longer, simple passphrase is better than a shorter (albeit more complex) password.
|4 numbers (The PIN for your ATM card.)||1234||10,000|
|8 alpha-numeric characters||pass1234||2,821,109,907,456|
|8 mixed-case letters||PassWord||53,459,728,531,456|
|8 mixed-case, alpha-numeric characters||PasS1234||218,340,105,584,896|
|8 mixed-case, alpha-numeric w/ symbols||Pas$12#$||722,204,136,308,736|
|17 letters and spaces||i like chocolates||2,153,693,963,075,557,766,310,747|
Don’t Think Green
Many companies implement policy that follows best practice where network passwords are changed every 90 days, not be re-used and are never to be shared with anyone (including Help Desk or IT personnel). Best practice for passphrase management is:
- Don’t Reduce – Use long passphrases when possible
- Don’t Reuse – Never use the same passphrase at more than one web site
- Don’t Recycle – Avoid using the same passphrase or variants over and over again.
- Ten Password Myths http://www.securityfocus.com/infocus/1554
The best generator of random passwords on the Internet: https://www.grc.com/passwords.htm