Building More Secure Passwords

Thursday, April 07, 2011

Global Knowledge


Article by Jill Liles

The problem of weak, guessable security passwords isn’t a new one, but it’s not going away.

In fact it’s getting worse, despite pleading from IT professionals to choose tough-to-guess passwords. Workers are still disconcertingly likely to come up with something like “password1!” or simply attach a few numbers like “123,” to the end of a word.

As users have to create several passwords for different systems and change them every 60 or 90 days, it’s little wonder they default to the least complicated password their systems allow and make only minor variations when forced to change them.

Unfortunately, such passwords are easy to guess. At the other end of the scale are passwords software programs randomly generated, which are difficult for users to remember (leading them to write these passwords down which defeats the effort).

In a recent paper coauthored by Cisco, Florida State University, and Redjack LLC, researchers examined how different password requirements affect password strength — such as requiring a minimal password length or the addition of a special character.

The researchers discovered that such policies usually don’t provide greater security since hackers are well-versed in these tactics and can use them to guess passwords and access accounts.

For instance, hackers know that when users are required to use a special character in a password, they can simply append that character to the end of the password.

A better practice say the researchers, is an external password creation tool that changes a password after it’s created to add a guaranteed amount of randomness — for example, adding two random digits to the end of a password.

This allows users to choose a password that they are likely to remember while making it difficult for hackers to guess.

Another option is to implement a “judgmental” password policy which will reject a password instantly based on its estimated strength and suggest a stronger one.

Or administrators could implement password protection software, which lets users remember only one strong master password, leaving the application to store encrypted passwords.

Excerpted and adapted from the Cisco 2010 Annual Security Report

Cross-posted from Global Knowledge

Possibly Related Articles:
Network Access Control
Passwords Authentication Access Control Research Administration
Post Rating I Like this!
Franc Schiphorst Or you make sure you only allow limited attempts and then block and register the fact that it was blocked. That way you block brute force.

And where possible use 2 factor and once a user is 2 factored give them as much SSO as you can allow/manage.
This will limit passwords and will help users do their work.

And make sure that you password hash database is salted just in case it gets stolen ;)
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.