Best practices for password protection

Best practices for password protection

What is a keyring? If keys are stored in a file on a user's computer as keyrings, how are the keys secured? Second, crypto experts say that user-remembered keys are not secure. A weak key may even weaken the strongest algorithm, because their entropy is less. Therefore, if difficult keys are generated having good entropy, then a user cannot remember it. He needs to jot is down. However, jotting down again compromises security. What is the solution?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

A keyring is the term used by PGP for a key management file. The keys are encrypted and stored in this file to protect them from unauthorized use. PGP stores keys in two files, one for public keys and another for private keys. It is important to choose a passphrase of a decent length and complexity because PGP encrypts the private keys with this passphrase. Private key encryption is completed by hashing the passphrase using SHA-1. 128 bits of this hash are also used as an encryption key. With this key, the private key is encrypted using CAST-128. The passphrase and the hash are never stored.

Remembering or storing a strong, secure password has taxed security experts. In the past, the best password practice was to pick a difficult-to-guess password, memorize it and never write it down. However, this is no longer practical as users have so many passwords to try to remember. Many users are now choosing easy-to-remember passwords that are more than likely weak and insecure. This represents a far more serious problem than a complex password that is written down and kept in a safe place. Recently, both Microsoft and security expert Bruce Schneier decided that it is better for users to choose a password too complicated to remember and write it down. Unfortunately, there is no perfect solution to this problem, but if you are not happy with this one, consider using a password database. You could use Schneier's free Password Safe utility, a smart card or token, which would give you a two-factor authentication solution when combined with a PIN -- another password to remember!

More Information

  • Do you have a password question of your own? If so, submit your questions here.
  • Learn how to create a secure password system.

    • This was first published in December 2005