News Stay informed about the latest enterprise technology news and product updates.

Proper password policy is imperative

Do you use the name of your dog for your password? Such tricks may help you remember your password but it also makes cracking them much, much easier. Strong passwords, by contrast, are a random selection of numbers, letters and symbols of sufficient length to make guessing them so difficult to be prohibitive.

Gone are the days of using your goldfish's name as a password. The spiraling power of computers makes strong passwords a must.

How does a computer make sure end users aren't setting their passwords to "password"? An informative password policy will aid this effort. Factors that go into a password policy include length, types of characters to be used, frequency they are changed and who has access to them.

Attackers use a variety of methods to get passwords to a system. One way is targeting specific people and learning their personal information. Things like birthdays, anniversaries and mother's maiden names can be found fairly easily.

Yet no matter how complex passwords are, they are useless if they are tucked under a keyboard or mouse pad. Keeping them stored in a text file is also potentially dangerous. They should be encrypted if stored passwords on a computer.

A few password tips

Here are a few password suggestions from Bradley Gruber, president of Uniontown, Ohio-based Relief Data Services LLC. First, Relief Data Services has a policy where IS doesn't ask users for their passwords. This way, end users know to never disclose their password to anyone.

Passwords should be…

  • At least eight characters
  • Include a random mixture of numbers, letters and symbols
  • Be changed every 90 days

Passwords shouldn't…

  • Include names or common words
  • Ever be written down
  • Shared with anyone

Gruber suggests B2cdE#f9$$P or 1Mi$t@ke as examples of strong passwords.

There are also automated attacks. Dictionary attacks literally tries every word from a list. These attacks can also include tacking on characters at the beginning or end of words, like when people combine their nickname with their birthday.

Even random selection of letters can be figured out by a brute force attack that tries every combination. One can crack a random password composed of just letters in 24 hours easily, said Rob Cheyne, managing security architect at @stake. Add numbers to the mix and it may take up to five days.

But adding symbols expands the total number of combinations enough to make a password fairly strong. Creating a password with a random mixture of symbols, letters and numbers is the best course, Cheyne said.

Now even random passwords can be guessed. This is where password length comes into play. Longer passwords will make such an attack harder and could discourage attempts. "Attackers look for low hanging fruit. They want to get the password in 10 minutes and get the information they want," Cheyne said.

A password with five or less characters could be found quite quickly by a brute force attack. Passwords with seven or more characters are more secure, Cheyne said.

Changing passwords is another way to combat brute force attacks. Someone hell bent on cracking your password may need a few months to try all the combinations. Changing passwords every 60 or 90 days could foil such attempts. However, changing passwords too often isn't advisable as user confusion could tax IT resources as they constantly forget their passwords, Cheyne said.

Additionally, creating long, non real word passwords that people can't remember is also a problem. A trick is using mnemonics or a phrase to remember the password. Again, remember back to high school when one learned "King Phillip came over for good sex" to remember the order of taxonomy in biology (kingdoms, phylum, classes, orders, families, genus and species).

For passwords, a way is coming up with a mantra-like phrase like "I like carrots!"or "il

Companies can ease some of the risks associated with random attacks by setting up systems to close when a few attempts fail. Additionally, systems that face the Internet shouldn't say if a username or password is wrong. A generic "login has failed" message should be displayed.

Sometimes companies need help with enforcing such policies. Software tools allow users to reset their own passwords if forgotten. Such tools save IT the work of resetting passwords.

Additionally, software can scan the prospective password to make sure it isn't the person's name or address. Other apps look for dictionary names (often from several languages).

Balancing sound security with the convenience is a challenge. "However, it is a cost of securing business," said Andrew Moffat, CEO of Ottawa-based EDUCOM TS Inc.

Best Web Links on password cracking

Best Web Links on password and authentication

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.