9 Perfect Password Pointers
Passwords are often the weakest part of a security infrastructure. Here are nine ways to make them one of the strongest.
Passwords are often the weakest part of a security infrastructure. Here are
nine ways to make them one of the strongest.
Passwords are a key part of an overall, in-depth defense strategy. Strong passwords are like a Master Lock -- the ones that don't open even when shot by a rifle. Weak passwords are like those Kryptonite locks, which can be opened with a ballpoint pen. Not good. So here are nine tips that will beef up your passwords, making them nearly pick-proof.
Tip 1: The Longer, the Better
How long should your passwords be? Anyone giving you a specific figure isn't doing
the answer justice. The length depends on the value of the data being protected,
how often the passwords must be changed, and the security of the authentication
system. But in general, passwords should be a minimum of eight to 10 characters
to even begin to be considered non-trivial. A password of 15 characters or longer
is considered secure for most general-purpose business applications.
Tip 2: Disable the Weak
If you don't disable the storage of weak LM password hashes in Windows (and then
force password changes) and an attacker gets the hashes, they'll be simple to
break unless the passwords are 15 characters or longer. At that length, they automatically
disable the storage of the LM hash.
Tip: Do It Yourself
We don't let the user create them
-- we create them and assign them to the users on a routine
basis. We only have 60 users, so it's not as difficult
as it may appear at first glance.
-- Anonymous, via Redmondmag.com
You can disable LM password hashes by using Group Policy, Local Security Policy
or a Registry edit. In the former two, navigate to Computer Configuration |
Windows Settings | Security Settings | Local Policies | Security Options and
enable Network Security: Do not store LAN Manager hash value on next password
Tip 3: Create True Password Complexity
Complexity makes passwords harder to guess and crack. Complexity normally means
inserting one or more non-alphabetic characters into the password or passphrase,
and is generally broken down into "low" and "high" categories. Low complexity
means requiring a number or forcing mixed-case capitalization of letters. Higher
complexity involves requiring one or more non-alphabetic and non-numeric symbols
(e.g. ! @ # $ % &, and so on).
Crackers and automated password cracking tools know that if you're required
to use an uppercase character, you're more likely to make the first letter of
your password uppercase. They know that if forced to use a number, it will typically
be at the end and be either "1" or "2." If you're forced to use special symbols,
you're most likely to use the characters listed in the previous paragraph, and
you'll substitute "@" for "a," "$" for "s" and so on. Too add true password
complexity, do something a password cracker wouldn't expect. For instance, "p7asswOrd"
is more complex than "Password2", even though it's no harder to type.
Tip: The Rule of 14
We use Group Policy to enforce 14 character-minimum
passwords. In order to help people to remember them, we suggest
using a passphrase -- basically a sentence that they can remember.
With such a long password we don't feel the need to
include special characters. It would take a hacking program
a long time (if it's even possible) to crack it.
-- Aaron Castro, IT manager, Hatfield, Pa.
Tip 4: To Decrease Complexity, Increase Length
Crackers keep telling me how easy it is to break dictionary-based passwords.
But I send them the password hashes for "frogdogfrogdog" and "passwordhashword"
to crack, and they never seem to break them. It's a dirty little secret: If
your password is long enough, it doesn't need to be complex. Going 15 characters
or longer defeats most password crackers, since the number of possible combinations
is too overwhelming for most password cracking engine requirements.
Tip 5: Don't Pass It On
You'd be amazed how many people use the same password to protect their online
dating profile that they use at work. It isn't unusual for today's knowledge
worker to have dozens of logons across a multitude of Web sites around the Internet.
Often their logon name to each Web site is their e-mail address. If a hacker
can compromise their password on one site, they can probably use it to compromise
a whole lot of others.
Tip: Keep Users in the Loop
In the last year we've enabled a
complex password policy for our domain via Group Policy. First,
we let our users know about the upcoming plan along with the
rationale for the need for complex passwords (i.e. stolen
data and so on). The day we enabled the policy we sent out
an e-mail with the requirements and a few hints about selecting
a strong complex password. So far, our users seem to understand
the need for complex passwords and keeping customer data safe.
-- Brett Dodd, Network services officer, Miles City, Mont.
Tip 6: Rooting Around
The same thing applies to setting passwords on different work systems: Avoid
using the same passwords on different systems. To make it simpler to log on
to multiple systems, tell your users to pick a common "root" password and make
slight changes to it on the various systems. For example, suppose a user has
logons to e-mail, billing and accounting systems. Their passwords could be "frogemail32,"
"frogbilling32" and "frogaccounting32." What's important is that the compromise
of one password in one system doesn't immediately lead to other system compromises.
Tip 7: Lure Your Own Employees
One of the most interesting, proactive security education programs involves creating
and sending your own employees realistic-looking phishing e-mails, asking for
the employee's logon name and password. Most of us have plenty of phishing e-mails
in our own Inbox to use as a template. Send the bogus phishing attempt from an
outside location, so that it doesn't readily appear as if it's from your company
(i.e. the originating e-mail address).
Every employee responding with his logon credentials should be required to attend an employee education program (and the more boring, the better). Then send a follow-up test phishing e-mail. Every time an employee responds, he has to attend the class.
Tip: Token Power
We use a single sign-on product with two-factor
authentication using tokens. This allows us to set user passwords
on the domain (currently, we're using 20-character,
randomly generated passwords) that nobody knows. Only the
single sign-on server knows this password and it passes it,
encrypted, to the user's computer; it's only good
for that session. This means no written down passwords and
no forgotten passwords -- users just need their token (made
by Secure Computing,
called the Silver 2000) and a four-digit pin to access the
-- Darryl Doughty, Network Administrator, Wenatchee, Wash.
I've talked to two companies that have done this and both report that initial
conversion rates (employees responding to the phishing e-mail with logon credentials)
is more than 30 percent. After the mandatory education program was instituted,
conversion rates plummeted to less than 2 percent for repeat offenders (although
it makes you wonder what it would take for the 2 percent to "get it"). Educating
users this way also makes them smarter e-mailers at home, too, benefiting all
Tip 8: Get the Sniffles
I routinely use a network protocol analyzer to sniff my company's passwords.
I sniff in company hallways, on the LAN and in the wireless ether, trying to
find out how many people are transmitting their logon and passwords in plaintext.
Even in the most secure environments, I'm rarely disappointed.
Tip: Shock Value
The best way to convince users to use strong
passwords is to run Lophtcrack, Cain and Abel or another password
cracking tool in front of senior management (who tend to have
the easiest passwords to crack). In my experience, when they
see 50 percent of the passwords cracked within seconds, they
get scared. Even better is to do it with a sniffer; then they
can see just how easy it is for a guest, maintenance worker
or an attacker using social engineering to pick up passwords
-- Andy (last name withheld by request), Network Engineer,
After sniffing my own traveling laptop, I was surprised to discover that my
e-mail client was sending my own logon and password credentials in clear-text.
My bank's SSL Web site was transmitting my logon name and PIN in clear-text,
despite the pretty padlock icon in my browser. I called my bank, and after a
few hours of research, they confirmed my findings. I asked them how long the
error had been going on and they said since the Web site had been up.
You may think you have your network locked down and your passwords protected using encryption and VPN protocols, but until you sniff your own network, you won't really ever know. And if you don't do it, the hackers will.
Tip 9: Storing Passwords -- Hint, Hint …
Tracking all these passwords is tough. Make them too easy to find, and hackers
can get at 'em. Too tough and you may not be able to use your own passwords!
I keep all my passwords for my different systems on my cell phone/PDA. But what if my phone is stolen? No problem: attackers won't be able to figure out my passwords, because what I store is not my actual password. Instead, I store "hints" to my passwords. For example, the passwords listed in the previous tip might become "femail32," "fbilling32" and "faccounting32." You can even switch things up a bit, for instance using "FEmail34," to indicate that the password includes capitalized letters and a different ending for that system (i.e. FrogEmail34). If you use a password storage program to store all your passwords in a central location, use this tip even when storing your passwords there. Never write down your password.
By applying these nine pointers, you'll make your environment much safer. And
that, in turn, will keep your job safer. Consider it an investment in your career.