Secure Passwords: A Primer in Two Parts
The fact is that passwords are still central to system security. Whether that system is your home PC, or your corporate network, passwords play a vital role. My goal for this primer is to not only educate the average user on ways to create a secure passphrase but to further educate technology professionals (esp the Redmond variety) on the methods used by a Windows network to implement username/password authentication.
In addition, many of these password recommendations should be applied to creating WPA2-PSK (Pre-shared Key) wireless networks in order to make the key less susceptible to a dictionary attack.
Part 1: Creating Secure Passwords
*Note: Microsoft has a wonderful guide on creating strong passwords that I highly recommend. I will be echoing much of the same information here.
Rule 1 – Size matters. The longer the password the better. No password should be shorter than 7 letters. If you are creating a passphrase to login to a Windows 2000 SP4, Windows XP, or Windows 2003 computer use 15 characters or more. I will cover the significance of this number in Part 2.
Rule 2 – Create Complexity. There are generally 4 sets of characters on a standard keyboard, Capital letters, lowercase letters, numbers, and symbols. Your password needs to contain characters from at least of these categories, and you should really incorporate all 4 Categories. The more categories, the more complex, the more complex the more possible characters that a dictionary attack or brute force attack must consider. (thebitmill.com has an excellent explanation of the math to give proof of why both length and complexity matter.)
Rule 3 – Remember the passphrase and don’t write it down. I realize that some experts say that it is better to write down a complex password than remember a simple password. I don’t make this compromise. My data is precious to me and you don’t know how many times I’ve found the password written on a sticky note on the monitor, written on the back of the keyboard, taped to the inside of a drawer etc. DO NOT WRITE IT DOWN.
Rule 4 – Avoid the following at all cost:
– Your first name, last name, or login name, in any form
– consecutive or repetitive numbers or letters such as 12345678 or AAAAAAAA
– adjacent keyboard letters such as qwerty or asdfghjk
– common and obvious letter-number replacements (e.g. replace the letter O with number 0)
– easily guessed personal information such as names and dates of yourself, family members, pets and close acquaintances
– easily obtained information, such as: address, license plate numbers, telephone numbers, social security nubmers, email addresses, etc..
– dictionary words, in any language, forward and backward
I know what you are thinking, that this is just too hard and too much trouble, well allow me to give you the golden key; change your thinking from the term of password to passphrase.
For example, could you remember this?
“I can’t stand the taste of grapefruit but the RubyRed juice is good.”
Using the first letter of every word and capitalizing each proper noun that phrase becomes “IcsttogfbRRjig”. Next take “IcsttogfbRRjig” and let’s add the current time “IcsttogfbRRjig12:28A”.
WOW, suddenly you have a passphrase that is 20 characters, 4 classes of characters, no words, and all you have to remember is a phrase and time.
This method and its variations literally provides thousands of ways to create excellent passwords that follow all the rules and can be easily remembered.
A final note, Microsoft also provides a Password Checker, that will indicate the strength or weakness of a password. If you are in doubt test your passphrase.
Stay Tuned for Part 2