Even with smartcards, biometrics, and other multifactor authentication solutions [1], everyone still uses basic name/password log-on combinations. Security experts always recommend “strong passwords.” But what qualifies as a strong password? And how do you avoid creating a password so strong you can’t remember it? According to NIST (National Institute of Standards and Technology), a strong password should contain no fewer than 12 characters, a rule adopted by the U.S. government in 2007 and further defined in the U.S. Government Configuration Baseline [2]. Admin passwords should be 15 characters. Readers may sigh at those lengths, but they’ve been the recommended minimum for half a decade. Anything shorter is not considered secure. [ InfoWorld Test Center reviews 7 password managers [3]. Find out which one comes out on top. | Learn how to secure your systems with InfoWorld’s Security Central newsletter [4]. ] Sure, many people can and do use shorter passwords. But you should be aware that as you increase the length, you provide greater protection over time. An 8-character password may be fine for a few days of protection, but a 12-character password is generally thought to be long enough to provide protection for a maximum of 90 days. A 15-character password is often considered good protection for up to a year. The myth of complexity Most security guidelines also insist on character complexity, which usually means that the password must contain multiple character sets, such as uppercase alphabetic characters, numbers, keyboard symbols, and so on. As I’ve noted in the past, however, complexity is less important than length [5]. A password of sufficient length can defeat a password guesser or cracker, whereas complexity adds significant value only when the complexity is random or near-random. Typically, when users are forced into complexity, they use the same types of characters in the same places. For example, when people are required to create an 8-character password with complexity, most will choose a root word in their country’s language, with an uppercase first letter (usually a consonant), followed by a lowercase vowel. If they use a number, it will usually be a “1” or a “2” and placed at the end. If they use a symbol, it will usually be one of a handful of characters placed somewhere in the middle, often replacing a letter with a similar shape: an @ or a zero to replace an “o,” an exclamation mark for an “i,” and so on. Password attackers know this, and their password cracking tools are optimized to guess at passwords using these patterns. Several security experts, including myself, have analyzed large dumps of captured passwords [6] and found the password patterns I’ve outlined above to hold true again and again. For complexity to add significant value, the password must be truly unique and random — something like %Tv4$H@.<P. But if it’s that ugly, people will either write it down or never remember it. Unfortunately, most security auditors and regulations (including PCI DSS) require password complexity. For example, I use a financial website with a maximum password length of six characters, but complexity is required. It makes me want to scream! I’d be much better off with a password of Dogdogdogdog or Iforeverlovedogs.
My personal password trick revealed Some people like to use special password-keeping programs [7], but I prefer to do something else that is faster for me. I use the same root password (let’s say TadPole) in all my passwords, but vary the beginning and the end. One website may be 44TadPole44. Another may be TadPole32, and yet another may be AmazTadPole32On. I have a method to my madness, so the pre- and post-portions make sense to me for particular websites. Thanks to the common root method, I can keep passwords to hundreds of different websites in my head. Because each password is different, if an attacker compromises one of my passwords on one website, my password commonality remains unknown. Even if they figure out I’m using a common password root — heck, I’m telling them right here — they’ll have a hard time figuring out the right pre- and post-portions aligned with other websites. None of the currently available password tools can handle that type of replacement complexity when trying different password combinations. Lie in reply to password reset questions Just as important as a good, strong password is making your password reset questions unguessable. There are lots of stories (remember the Sarah Palin email hack [8]?) where people who were not even true hackers did a little research and guessed a person’s password reset questions correctly. In general, the effort needed to crack reset questions is an order of magnitude less than guessing the actual password. It’s the weakest link. Do what I do and don’t answer those questions truthfully. When they ask you your mother’s maiden name, the brand of your first car, or your birthplace, you are not obligated to provide correct answers. Instead, pick a common password reset answer for each website and use my password root strategy, remembering to vary the common root word or phrase so you can remember it and associate it with each website. Anyone can end up with a compromised password. It happens. Websites get hacked. Ingenious, targeted phish emails fool the best of us. But if you follow these recommendations, you can reduce the risk of successful password hack attacks. This story, “Creating strong passwords is easier than you think [9],” was originally published at InfoWorld.com [10]. Keep up on the latest developments in network security [11] and read more of Roger Grimes’ Security Adviser blog [12] at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter [13].
End of the spring semester
Steve Simpson, Glendale College Computer Instructor 