In-Depth

9 Perfect Password Pointers

Passwords are often the weakest part of a security infrastructure. Here are nine ways to make them one of the strongest.

• By Roger A. Grimes
• 04/01/2006

Passwords are a key part of an overall, in-depth defense strategy. Strong passwords are like a Master Lock -- the ones that don't open even when shot by a rifle. Weak passwords are like those Kryptonite locks, which can be opened with a ballpoint pen. Not good. So here are nine tips that will beef up your passwords, making them nearly pick-proof.

Tip 1: The Longer, the Better
How long should your passwords be? Anyone giving you a specific figure isn't doing the answer justice. The length depends on the value of the data being protected, how often the passwords must be changed, and the security of the authentication system. But in general, passwords should be a minimum of eight to 10 characters to even begin to be considered non-trivial. A password of 15 characters or longer is considered secure for most general-purpose business applications.

Tip 2: Disable the Weak
If you don't disable the storage of weak LM password hashes in Windows (and then force password changes) and an attacker gets the hashes, they'll be simple to break unless the passwords are 15 characters or longer. At that length, they automatically disable the storage of the LM hash.

You can disable LM password hashes by using Group Policy, Local Security Policy or a Registry edit. In the former two, navigate to Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options and enable Network Security: Do not store LAN Manager hash value on next password change.

Tip 3: Create True Password Complexity
Complexity makes passwords harder to guess and crack. Complexity normally means inserting one or more non-alphabetic characters into the password or passphrase, and is generally broken down into "low" and "high" categories. Low complexity means requiring a number or forcing mixed-case capitalization of letters. Higher complexity involves requiring one or more non-alphabetic and non-numeric symbols (e.g. ! @ # $ % &, and so on).

Crackers and automated password cracking tools know that if you're required to use an uppercase character, you're more likely to make the first letter of your password uppercase. They know that if forced to use a number, it will typically be at the end and be either "1" or "2." If you're forced to use special symbols, you're most likely to use the characters listed in the previous paragraph, and you'll substitute "@" for "a," "$" for "s" and so on. Too add true password complexity, do something a password cracker wouldn't expect. For instance, "p7asswOrd" is more complex than "Password2", even though it's no harder to type.

Tip 4: To Decrease Complexity, Increase Length
Crackers keep telling me how easy it is to break dictionary-based passwords. But I send them the password hashes for "frogdogfrogdog" and "passwordhashword" to crack, and they never seem to break them. It's a dirty little secret: If your password is long enough, it doesn't need to be complex. Going 15 characters or longer defeats most password crackers, since the number of possible combinations is too overwhelming for most password cracking engine requirements.

Tip 5: Don't Pass It On
You'd be amazed how many people use the same password to protect their online dating profile that they use at work. It isn't unusual for today's knowledge worker to have dozens of logons across a multitude of Web sites around the Internet. Often their logon name to each Web site is their e-mail address. If a hacker can compromise their password on one site, they can probably use it to compromise a whole lot of others.

Tip 6: Rooting Around
The same thing applies to setting passwords on different work systems: Avoid using the same passwords on different systems. To make it simpler to log on to multiple systems, tell your users to pick a common "root" password and make slight changes to it on the various systems. For example, suppose a user has logons to e-mail, billing and accounting systems. Their passwords could be "frogemail32," "frogbilling32" and "frogaccounting32." What's important is that the compromise of one password in one system doesn't immediately lead to other system compromises.

Tip 7: Lure Your Own Employees
One of the most interesting, proactive security education programs involves creating and sending your own employees realistic-looking phishing e-mails, asking for the employee's logon name and password. Most of us have plenty of phishing e-mails in our own Inbox to use as a template. Send the bogus phishing attempt from an outside location, so that it doesn't readily appear as if it's from your company (i.e. the originating e-mail address).

Every employee responding with his logon credentials should be required to attend an employee education program (and the more boring, the better). Then send a follow-up test phishing e-mail. Every time an employee responds, he has to attend the class.

I've talked to two companies that have done this and both report that initial conversion rates (employees responding to the phishing e-mail with logon credentials) is more than 30 percent. After the mandatory education program was instituted, conversion rates plummeted to less than 2 percent for repeat offenders (although it makes you wonder what it would take for the 2 percent to "get it"). Educating users this way also makes them smarter e-mailers at home, too, benefiting all of cyberspace.

Tip 8: Get the Sniffles
I routinely use a network protocol analyzer to sniff my company's passwords. I sniff in company hallways, on the LAN and in the wireless ether, trying to find out how many people are transmitting their logon and passwords in plaintext. Even in the most secure environments, I'm rarely disappointed.

After sniffing my own traveling laptop, I was surprised to discover that my e-mail client was sending my own logon and password credentials in clear-text. My bank's SSL Web site was transmitting my logon name and PIN in clear-text, despite the pretty padlock icon in my browser. I called my bank, and after a few hours of research, they confirmed my findings. I asked them how long the error had been going on and they said since the Web site had been up.

You may think you have your network locked down and your passwords protected using encryption and VPN protocols, but until you sniff your own network, you won't really ever know. And if you don't do it, the hackers will.

Tip 9: Storing Passwords -- Hint, Hint …
Tracking all these passwords is tough. Make them too easy to find, and hackers can get at 'em. Too tough and you may not be able to use your own passwords!

I keep all my passwords for my different systems on my cell phone/PDA. But what if my phone is stolen? No problem: attackers won't be able to figure out my passwords, because what I store is not my actual password. Instead, I store "hints" to my passwords. For example, the passwords listed in the previous tip might become "femail32," "fbilling32" and "faccounting32." You can even switch things up a bit, for instance using "FEmail34," to indicate that the password includes capitalized letters and a different ending for that system (i.e. FrogEmail34). If you use a password storage program to store all your passwords in a central location, use this tip even when storing your passwords there. Never write down your password.

By applying these nine pointers, you'll make your environment much safer. And that, in turn, will keep your job safer. Consider it an investment in your career.