In-Depth

9 Perfect Password Pointers

Passwords are often the weakest part of a security infrastructure. Here are nine ways to make them one of the strongest.

Passwords are often the weakest part of a security infrastructure. Here are nine ways to make them one of the strongest.

Passwords are a key part of an overall, in-depth defense strategy. Strong passwords are like a Master Lock -- the ones that don't open even when shot by a rifle. Weak passwords are like those Kryptonite locks, which can be opened with a ballpoint pen. Not good. So here are nine tips that will beef up your passwords, making them nearly pick-proof.

Tip 1: The Longer, the Better
How long should your passwords be? Anyone giving you a specific figure isn't doing the answer justice. The length depends on the value of the data being protected, how often the passwords must be changed, and the security of the authentication system. But in general, passwords should be a minimum of eight to 10 characters to even begin to be considered non-trivial. A password of 15 characters or longer is considered secure for most general-purpose business applications.

Tip 2: Disable the Weak
If you don't disable the storage of weak LM password hashes in Windows (and then force password changes) and an attacker gets the hashes, they'll be simple to break unless the passwords are 15 characters or longer. At that length, they automatically disable the storage of the LM hash.

Reader Tip: Do It Yourself

We don't let the user create them -- we create them and assign them to the users on a routine basis. We only have 60 users, so it's not as difficult as it may appear at first glance.
-- Anonymous, via Redmondmag.com

You can disable LM password hashes by using Group Policy, Local Security Policy or a Registry edit. In the former two, navigate to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options and enable Network Security: Do not store LAN Manager hash value on next password change.

Tip 3: Create True Password Complexity
Complexity makes passwords harder to guess and crack. Complexity normally means inserting one or more non-alphabetic characters into the password or passphrase, and is generally broken down into "low" and "high" categories. Low complexity means requiring a number or forcing mixed-case capitalization of letters. Higher complexity involves requiring one or more non-alphabetic and non-numeric symbols (e.g. ! @ # $ % &, and so on).

Crackers and automated password cracking tools know that if you're required to use an uppercase character, you're more likely to make the first letter of your password uppercase. They know that if forced to use a number, it will typically be at the end and be either "1" or "2." If you're forced to use special symbols, you're most likely to use the characters listed in the previous paragraph, and you'll substitute "@" for "a," "$" for "s" and so on. Too add true password complexity, do something a password cracker wouldn't expect. For instance, "p7asswOrd" is more complex than "Password2", even though it's no harder to type.

Reader Tip: The Rule of 14

We use Group Policy to enforce 14 character-minimum passwords. In order to help people to remember them, we suggest using a passphrase -- basically a sentence that they can remember. With such a long password we don't feel the need to include special characters. It would take a hacking program a long time (if it's even possible) to crack it.
-- Aaron Castro, IT manager, Hatfield, Pa.

Tip 4: To Decrease Complexity, Increase Length
Crackers keep telling me how easy it is to break dictionary-based passwords. But I send them the password hashes for "frogdogfrogdog" and "passwordhashword" to crack, and they never seem to break them. It's a dirty little secret: If your password is long enough, it doesn't need to be complex. Going 15 characters or longer defeats most password crackers, since the number of possible combinations is too overwhelming for most password cracking engine requirements.

Tip 5: Don't Pass It On
You'd be amazed how many people use the same password to protect their online dating profile that they use at work. It isn't unusual for today's knowledge worker to have dozens of logons across a multitude of Web sites around the Internet. Often their logon name to each Web site is their e-mail address. If a hacker can compromise their password on one site, they can probably use it to compromise a whole lot of others.

Reader Tip: Keep Users in the Loop

In the last year we've enabled a complex password policy for our domain via Group Policy. First, we let our users know about the upcoming plan along with the rationale for the need for complex passwords (i.e. stolen data and so on). The day we enabled the policy we sent out an e-mail with the requirements and a few hints about selecting a strong complex password. So far, our users seem to understand the need for complex passwords and keeping customer data safe.
-- Brett Dodd, Network services officer, Miles City, Mont.

Tip 6: Rooting Around
The same thing applies to setting passwords on different work systems: Avoid using the same passwords on different systems. To make it simpler to log on to multiple systems, tell your users to pick a common "root" password and make slight changes to it on the various systems. For example, suppose a user has logons to e-mail, billing and accounting systems. Their passwords could be "frogemail32," "frogbilling32" and "frogaccounting32." What's important is that the compromise of one password in one system doesn't immediately lead to other system compromises.

Tip 7: Lure Your Own Employees
One of the most interesting, proactive security education programs involves creating and sending your own employees realistic-looking phishing e-mails, asking for the employee's logon name and password. Most of us have plenty of phishing e-mails in our own Inbox to use as a template. Send the bogus phishing attempt from an outside location, so that it doesn't readily appear as if it's from your company (i.e. the originating e-mail address).

Every employee responding with his logon credentials should be required to attend an employee education program (and the more boring, the better). Then send a follow-up test phishing e-mail. Every time an employee responds, he has to attend the class.

Reader Tip: Token Power

We use a single sign-on product with two-factor authentication using tokens. This allows us to set user passwords on the domain (currently, we're using 20-character, randomly generated passwords) that nobody knows. Only the single sign-on server knows this password and it passes it, encrypted, to the user's computer; it's only good for that session. This means no written down passwords and no forgotten passwords -- users just need their token (made by Secure Computing, called the Silver 2000) and a four-digit pin to access the system.
-- Darryl Doughty, Network Administrator, Wenatchee, Wash.

I've talked to two companies that have done this and both report that initial conversion rates (employees responding to the phishing e-mail with logon credentials) is more than 30 percent. After the mandatory education program was instituted, conversion rates plummeted to less than 2 percent for repeat offenders (although it makes you wonder what it would take for the 2 percent to "get it"). Educating users this way also makes them smarter e-mailers at home, too, benefiting all of cyberspace.

Tip 8: Get the Sniffles
I routinely use a network protocol analyzer to sniff my company's passwords. I sniff in company hallways, on the LAN and in the wireless ether, trying to find out how many people are transmitting their logon and passwords in plaintext. Even in the most secure environments, I'm rarely disappointed.

Reader Tip: Shock Value

The best way to convince users to use strong passwords is to run Lophtcrack, Cain and Abel or another password cracking tool in front of senior management (who tend to have the easiest passwords to crack). In my experience, when they see 50 percent of the passwords cracked within seconds, they get scared. Even better is to do it with a sniffer; then they can see just how easy it is for a guest, maintenance worker or an attacker using social engineering to pick up passwords quickly.
-- Andy (last name withheld by request), Network Engineer, Dublin, Ohio

After sniffing my own traveling laptop, I was surprised to discover that my e-mail client was sending my own logon and password credentials in clear-text. My bank's SSL Web site was transmitting my logon name and PIN in clear-text, despite the pretty padlock icon in my browser. I called my bank, and after a few hours of research, they confirmed my findings. I asked them how long the error had been going on and they said since the Web site had been up.

You may think you have your network locked down and your passwords protected using encryption and VPN protocols, but until you sniff your own network, you won't really ever know. And if you don't do it, the hackers will.

Tip 9: Storing Passwords -- Hint, Hint …
Tracking all these passwords is tough. Make them too easy to find, and hackers can get at 'em. Too tough and you may not be able to use your own passwords!

I keep all my passwords for my different systems on my cell phone/PDA. But what if my phone is stolen? No problem: attackers won't be able to figure out my passwords, because what I store is not my actual password. Instead, I store "hints" to my passwords. For example, the passwords listed in the previous tip might become "femail32," "fbilling32" and "faccounting32." You can even switch things up a bit, for instance using "FEmail34," to indicate that the password includes capitalized letters and a different ending for that system (i.e. FrogEmail34). If you use a password storage program to store all your passwords in a central location, use this tip even when storing your passwords there. Never write down your password.

By applying these nine pointers, you'll make your environment much safer. And that, in turn, will keep your job safer. Consider it an investment in your career.

comments powered by Disqus

Reader Comments:

Thu, May 5, 2011 Larry ibs symptoms

Long and complicated password are good but don't forget to install firewall and antivirus system in your computer. And most importantly never ever click on any link send to your email.

Fri, Sep 29, 2006 Bendis Canada

@Michael Nielsen from Denmark - I thank you for the link to Nic Wolff's password generator! Yes, I'm one of those support souls that have to remember and use 20+ passwords for various logins. Nic's script is awesome!

Thu, Jun 29, 2006 Richard Denmark

However good your memory Kelly, there are those of us who have vacation entitlement that far outstrips the guilt ridden US system where you don't take vacation unless the Boss does...this means that those of us who annually take 6 - 8 weeks off each year have long periods of up to 3 or 4 weeks when we don't routinely use the passwords we have and consequently forget them. There are classic peaks in all organisations all over the world after Xmas vacation and summer vacation when Help Desks are bombarded with password reset requests. I reckon you probably are aware of that as well. That's why a self service add-on like FastPass Password Manager can help those of us who are rather more challenged than you are Kelly. It helps us to not congest our minds with the 13 passwords (RSA's figures) we use daily and also gives us Europeans a quality of life that is far in excess (according to statistics) than you have on your side of the Pond ;-)

Fri, May 26, 2006 Tom Indiana

Paul from Londan indicates that our ATM PIN numbers are secure. What!? With a small scope similar to what might be mounted on a rifle, you can pick up as many PIN numbers as you want from 1/2 a block away from an ATM machine. And if you think people don't write their PIN numbers on their cards, think again.
I agree with Kelly, that long passphrases are not that difficult to remember. You can always whine and argue that her specific examples don't work for you but the whole point was that anyone should be able to come up with a scheme that works for them.
The real beauty of 15 character passphrases is that you can imbed easy to remember info with a base password to create unique but similar strings, PLUS with 15 character strings it is not necessary to enforce password changes as often. Why? Because the reason for frequent password changes is to change the password often enough that if a hacker gets the hash or encrypted password it will probably be changed before they crack it. After all, once they've cracked the password and compromised your system, they will likely create their own alternate method of access and no longer need your account anyway, so changing the password isn't going to stop them once they have gotten in once.
As for the 2% of users who seem to just not have a clue, as indicated in tip 7, at least make sure they do not have access to sensitive data. After all, we are talking about repeatedly failing to follow company policy pertaining to sending information in emails.

Fri, May 12, 2006 Paul Morgan London, UK

As an ex-IT Manager, I feel reasonably qualified to comment on the issues raised here. Enforcing regular password changes simply doesn't work. For instance, if your system will not allow the use of a previous password until the 11th change, users will simply use the same password they always have, with a number at the end (i.e. january1) all the way to january10, then back to january1 again on the 11th change. Banks don't insist we change our ATM card PIN every 30 days, so why should we be expected to change our passwords on a regular basis? This is an education issue, not one of password complexity or change frequency. If users are educated to understand that their various system passwords are as important as the PINs they are given by the bank, your company's data would be a whole lot more secure. For instance, you wouldn't write your ATM PIN on the back of the card, so why write your login password on the reverse of your keyboard? Once this change in culture has been successfully effected, system passwords will become as "secure" as ATM PINs. Simple.

Wed, May 3, 2006 anthony Anonymous

I want to join in with the folks that voice concern about remembering passwords. Kelly makes it seem easy but she does not offer many long passwords as examples and not many examples intotal. As a Systems programmer I had perhaps nine different passwords and if I made them 15 characters long and changed them each month I would quickly run out of hotel rooms and vacation spots. On the other extreem I would find people with their passwords taped to their monitor. But until there is a good way to create a complex password which is easy to remember but does not follow a pattern people will quickly fall back to short password and family names.

Sat, Apr 29, 2006 Ike Denver

This is an excellent comprehensive list, and the current readers comments are right on the money. My pet peeve is the varying authentication requirements (esp., length) by each "secure" web-site evokes more creativity that I wish to endure.

Thu, Apr 27, 2006 John Birmingham, UK

Another point for users to remember is never to use your mother's maiden name - these are easily discovered from ancestry web sites. I still find it amazing just how many systems ask for this as 'proof' of identity when you need your password reset. If asked for this information MAKE IT UP.

Wed, Apr 26, 2006 Steve Redding, CA

Kelly, you seem pretty proud of yourself for your great memory. Congratulations. However, there definitely are plenty of extremely intelligent, qualified, and (gasp) even successful people out there who still have trouble remembering long, complex passwords. Just because you can remember your 22-character password doesn't mean, as you say, "anyone can." Not everybody's memory works the same way. Until you have become a leading cognitive neuroscientist, I think you really don't have the qualifications to tell other people what line of work they should be in based on their ability to remember (or not) passwords.

Wed, Apr 26, 2006 Kelly Detroit, MI

I don't have a 120 IQ and I manage to remember passwords for many systems at multiple clients, at the office, and the home network - each based on a different scheme. Seriously, if your users can not find a scheme to use when routinely setting and changing passwords, maybe they should consider a different a job function or industry to work in. Most of my clients, and users, are required to routinely set and change passwords as part of their job function, and using simple techniques like -

1. combine a type of fruit with a numerical sequence i.e. apples1@day, cherries1Npie,

2. the phrase 'iLove' with a favorite food item and symbols i.e. iLoveP1zz@, iLoveSp@ghett1, iLove1cecre@m,

3. Month, Date, Initials, Weight, Symbol, i.e. jan01big187!, feb14ktw133$,

4. the last place you vacationed, room number of hotel or condo, and number of days there i.e. Wyndham948seven, Hilton238three, Embassy728twelvehours

- really help. Each of which will meet most length, character, and complexity requirements.
Lastly, if I can remember my passwords, some as much 22 characters in length, anyone can. It's not the task of changing their passwords they have to overcome; Rather, it's the desire to want to change their passwords.

Wed, Apr 12, 2006 Suzanne New York, NY

I agree with Bill from NJ ... but I would add that one CAN teach people to store the HINT and not the password. Or, teach other ways to keep the password, e.g., "sdrawkcab" can work well. AND the "keep users in the loop" tip is well put: say it's going to happen, say it is happening, say what happened. Short and sweet. Bye!

Wed, Apr 5, 2006 Bill NJ

The password hints are great for the techno-savvy person with a 120 IQ, but I find that the majority of users are clerical and have a tough time getting Excel do more that add two numbers together. Even manages dig into their wallets to get the infrequently used accounts. Complexity of a password is not why people write them down, it is because they change every couple of months, different systems require different userid formats and password formats. The irony is that as accounts and passwords have gotten more complex, making it more difficult for the techno hacks; the low-tech hacks can just look under the keyboard, or in a draw.

Wed, Apr 5, 2006 Sina Tehran

Hi and tanx Roger! that's useful for me.

Fri, Mar 31, 2006 Anonymous Anonymous

excellent

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.